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1 PROCE 


2 THE CLERK: All rise. 


3 Interpreters, you're still under oath. 


4 THE COURT: So what's the issue this morning, please? 


5 MR. NEMTSEV: The only issue I had is when that came 


6 up yesterday about marking all of these log files as an exhibit 


7 but the government not admitting them, yet the witness 


8 testifying to their contents without the admission of those 


9 logs. 


08:50 10 THE COURT: Well, I think the way we left it is I 


11 would mark it for identification. You would move to strike 


12 anything that was either inadmissible or unfairly prejudicial. 


13 MR. NEMTSEV: No, Your Honor, I don't move to strike 


14 anything. I would -- 


LS THE COURT: Are you moving to strike the whole 


16 exhibit? I'd say no. 


17 MR. NEMTSEV: No, no. I'm not moving to strike 


18 anything from the log files. 


19 THE COURT: Oh, you just want to admit it right now? 


08:50 20 I don't understand what you want. 


21 MR. NEMTSEV: The log files, Exhibit 71, the lengthy 


£ 


22 list of Julia Soma's account did this from this IP address, 


23 from this computer. 


24 THE COURT: I'm sorry. I'm mixing it up. This is my 


25 . I thought you were referring to the texts. 
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i MR. NEMTSEV: No, no. I'm referring to the exhibit 


2 related to this witness. 


Si THE COURT: All right. You moved to admit one of the 


4 ones that we allowed in yesterday, the log files involving 


5 Merrill, right? TM? So you're saying we should be moving in 


6 the one involving DFIN. s that it? 


7 MR. NEMTSEV: think we should be moving -- or the 


8 government should have moved them all in. How can a witness 


9 testify as to the contents of log files without actually 


08:51 10 admitting the underlying log files? 


11 THE COURT: I don't remember. Did you move —-- 


12 MR. KOSTO: Yesterday we moved in a number of exhibits 


13 under 71, 71A, 71B, which the witness testified were the 


14 contents of messaging from those logs. What Mr. Nemtsev is 


15 asking is that the entirety, the millions of rows of logs, 


16 including the geolocation information that the witness 


17 testified he didn't know where it came from and he didn't rely 


18 on it. What the defense wants to do is hold up the geolocation 


19 information, point to it and say, It doesn't say Boston. 


08:52 20 THE COURT: Just so I understand. The excerpts that 


21 you used, you moved in yesterday? 
22 MR. KOSTO: Yes. 
23 THE COURT: Okay. Now -- just to make it clear, you 


24 want to move in the whole log file? 


25 MR. NEMTSEV: Yeah, I think it has to be, because this 
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i witness testified about hacks going from February of 2018 to 


2 August of 2020. The snippets that they put in don't support 


Si that. They're going to have a witness, Mr. Lewis —- 


4 THE URT: First of all, you haven't moved them in 


5 yet. So are u doing that now? 


6 MR. MTSEV: "m sorry? 


7 You have not yet moved them in yet. 


8 MR. NEMTSEV: The log files or the snippets? The 


9 snippets, they moved in. 


08:52 10 THE COURT: The snippets are in. 


de. MR. NEMTSEV: Yes. 


12 THE COURT: They're in. Do you want to move in all 


13 the log files? 


14 . IMTSEV: We have to, I believe, Your Honor. 


15 : Just, are you moving them in? 


16 . MTSEV: Yes. 


LS) : The entire log files from DFIN? 


18 ; IMTSEV: Yes, but they want portions of 


19 redacted. 


08:52 20 THE COURT: This guy -- if I can't remember his 


21 name -- doesn't know what that information is. Is someone that 


22 you're going to be putting on the stand going to be able to 


23 verify what that is? 


24 ‘ EMTSEV: We could have our expert explain what it 


25 is. He does know what it is. He just says, I didn't rely on 
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A it. He doesn't say it's unreliable. He says it came from 
2 Microsoft. 
3 THE COURT: He said he didn't know how it was 


4 generated. 


5 MR. NEMTSEV: He said it came from Microsof 


6 logs were generated by Microsoft. 


7 THE COURT: Are you going to call someone from 


8 Microsoft as to how they were generated? I don't know how they 


9 were generated. I have no basis for it. 


08:53 10 MR. NEMTSEV: They were generated by Microsoft 


11 consistent with the entire log, not just portions of it. 


12 The entire log was generated by Microsoft. Are they arguing 


13 that the entire log is unreliable? 


14 THE COURT: I didn't know that. The entire log was 


LS generated by Microsoft? 


16 MR. KOSTO: No, Your Honor. The geolocation 


1 information is the issue here, and before trial, the defense 


18 noved to exclude the geolocation information from MaxMind. And 


19 in arguing that -—-- and I'm in docket 126 right now -—- the 


08:54 20 defense pointed to MaxMind and then said, MaxMind is 


21 unreliable. If you look at IP2Location, another company, you 


22 get one city. If you look at IPinfo, another type of company, 


Te 


23 you get a different location. 


you look at db-ip, which is 


- 


24 used by Microsoft, you get a different location. 


25 THE COURT: You did not prepare me on this. 
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i understand that Microsoft would be generating information based 


2 on yet another source. So the guestion I have is: This 


3 don't know about it. It wasn't vetted with me. I knew about 
4 MaxMind. 


5 MR. KOSTO: And this witness has testified that beyond 


6 the fact that it comes from Microsoft, he doesn't know where it 


7 came from and he didn't rely on it, so the -- 


8 THE COURT: Well, I'm not allowing it to come in. 


9 That said, if you have some expert who can help me on that, we 


08:54 10 can just mark it for ID and I will allow it to come in. It 
11 just depends on who you have. Do you have an expert coming 


12 on it? 


13 . NEMTSEV: Well, we have an expert, a forensic 


14 expert. I sure he could testify to -—- 


LS COURT: All right. So if he can say it's reliable 


16 and the kind of thing people rely on, as I've said fora 


£ 


LS) million years, what's sauce for the goose is sauce for the 


18 gander. 


19 MR. FRANK: Two points on that, Judge, quickly. First 


08:55 20 of all, their expert hasn't been noticed on that issue. 


21 But second of all, in that, what Mr. Kosto was just 


22 reading, Mr. Nemtsev argued that the Microsoft data was no more 


23 reliable than the MaxMind data. The next one he was going to 


24 read was that Microsoft provides yet another source. It's all 


25 identical. They all do the exact same thing. 
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il THE COURT: Well, right now I have no evidence from 


2 the defense that it's reliable. As in zero. If you put in 


3 evidence that it's reliable, I will allow you to put it in, and 


4 I'll allow them to rebut with the same information that we were 


5 fighting about in the motions in limine in rebuttal -- or not 


6 rebuttal, but to respond to it. Because they can put in their 


7 MaxMind data, and the jury can have all the limitations on it. 


8 Right now I have no evidence on point. 
9 MR. FRANK: Well, it's even more than that, because 


08:56 10 they've actually argued it's not reliable. This exact data 


ala they've argued is not reliable. 


12 THE COURT: Excuse me. ] I don't know this 


13 area very well 


14 MR. FRANK: T understand, Judge. 


15 THE COURT: -—- but the argument was about MaxMind, not 


16 about Microsof 


17 MR. FERNICH: Judge, let me 


18 THE COURT: Excuse me. 


19 MR. FERNICH: I'm sorry. 


08:56 20 THE COURT: I know nothing about Microsoft's 


21 reliability. Microsoft strikes me as a reputable company, 


22 would we say? So if Microsoft is relying on this data, perhaps 


23 it is relatively reliable. But so far -- you won that fight. 


24 If you want to open up that can of worms again, your call, with 


25 your expert, or with him, he -—- he couldn't tell you. I mean, 
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1 so he didn't know. And then the government gets to put in 


2 theirs. 


3 Okay. Now, I have a question about venue now that 


4 we're on it. I started to think about putting this case 


5 together. 


6 THE CLERK: Hold on, Judge. That's the court officer. 


7 THE COURT: Don't let them in yet. 


8 Because this all goes to the issue of venue, of 


9 course. What is the story with does venue get is that 


08:57 10 the first question asked to the jury, and if they -- is it 


11 last question asked to the jury? 


12 MR. FERNICH: I'm sorry. I missed that. 


13 THE COURT: I've actually not hit this issue. So 


14 for some reason they decide there's no venue, double 


15 jeopardy -- in other words, it can be retried, right? 


16 MR. FERNICH: It's before the Supreme Court right 


1] that issue. 


18 THE COURT: Now you've got me. 


19 MR. FRANK: Judge, we dealt with this issue in the 
08:57 20 Varsity Blues cases. There was a venue instruction. So 


21 there's a standard venue instruction that they have to find by 


22 a preponderance that it touched Massachusetts. 
23 THE COURT: Sure. 
24 MR. FRANK: But there's no separate -—- there's no 


25 separate question put to them on the -—- they still have to just 


08:58 10 
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decide the counts the way they decide the counts. 


an issue in the instructions, just like -—- 


THE COURT: 

MR. FRANK: 

COURT: 

MR. FRANK: 

THE COURT: 

that the practice? 


MR. FRANK: 


THE COURT: 


So it's just 


So there's no separate question? 


There's no separate question. 


Are you 
A hundr 
That's 
don't 


That's 


the Varsity Blues cases, and 


So you 


sure? 
ed percent sure. 
the way Judge Gorton 


KNOW. 


the way it was dealt 


did it, but is 


with in all 


£ 


I've never heard o 


simply say to them, i 


find the venue, you find not guilty? 


MR. FRANK: 


it being put 


to the jury as a separate question on the questionnaire. 


£f you don't 


There's a standard instruction. We have 


it in our instructions. 


THE COURT: 


08:58 20 


21 


22 


23 


know. 


It wasn't helpful. 


The venue 


instructions for both sides were not particularly 


trying to do research on it. 


IT had it come up in 


Mr. Kosto knows. So let's assume for a minute, y 


prove by a preponderance of the evidence venue. 


guilty? 


MR. FRANK: 


Is that how it gets resolved? 


Yes, bu 


t I don't know that t 


helpful. I'm 
eBay, as 


ou didn't 


Is it a not 


hat's the 


instruction. The instruction we gave to the Court is the 


24 


25 


standard First Circuit -- 


THE COURT: 


What do 


you do? You're the 


juror. You 
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1 think you don't know whether it's in Prague or you don't know 

2 whether it's in Korea. 

3 MR. FRANK: And it's a thing that they have to find in 
4 order to convict, just like any other element. 

5 THE COURT: Excuse me. So if you haven't proven it, 

6 is it not guilty? 

7 MR. FRANK: Yes, but they —- 


8 THE COURT: That's all I'm asking. 


9 MR. FRANK: Yes, but I don't know that that specific 
08:59 10 verbiage is in the instruction. 


11 THE COURT: No, but it's going to be. Either that or 


12 [ do a separate question. Let me ask you this: The issue 


13 really is if there's no venue, does that trigger double 


14 jeopardy? When I dismiss -- it came up in eBay. f dismiss 


£ 


15 on the issue of venue, you just get to try it somewhere els 


16 MR. NEMTSEV: That's the issue in the Supreme Court 


LS) case right now. The Eleventh Circuit the Eleventh Circuit 


18 reversed a count for insufficient evidence on venue, and 


19 there's a circuit split as to whether the defendant can be 


08:59 20 retried somewhere else, and that's what they're going to 


21 resolve in the case. 


22 THE COURT: Neither of you gave me verdict slip, so 


23 was just thinking about it last night. What would be your 


24 position on that? Are you agreeing with the Eleventh? 


25 MR. NEMTSEV: No, we don't like the Eleventh. The 
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al Eleventh found that it can be retried, and, you know, the 


2 Supreme Court is going to figure that out. I think we are 


3 going to get the answer. 


4 THE COURT: If it's simply a not guilty, I will never 


6 MR. EV: Well, we wouldn't want a special verdict 


7 on venue. 
8 THE COURT: That's agreed, all right. 


9 MR. FRANK: Well, no, that's an issue we —- with 


09:00 10 respect to the -- I think that's right, but I just want to 


11 check with our appeals unit on that. 


12 THE COURT: I don't know. I usually have venue arise 


13 as a motion to dismiss the indictment. I haven't had it arise 


14 in this context. So right now you're both agreeing, subject to 


LS my hearing something else, that it's bound up in -- if you 


16 don't find venue, it's a not guilty? 


Ly MR. FERNICH: Yes. 


18 MR. FRANK: Yes, Your Honor, but what I do think we 


19 object to is a separate instruction with respect to that one 


09:00 20 issue that if you don't find it, it's a not guilty. It would 


21 be the same instruction as you give, we submit, for all the 


22 elements, which is if you don't find any element, it's a not 


23 guilty. 


24 THE COURT: Of course. 


25 MR. FRANK: But we don't say for each individual 
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1 element, if you don't find this element, it's a not guilty. If 


Be 


2 you don't find this element, it's a not guilty. 


i) THE COURT: I don't know how I'll word it yet. 


4 just basically dealing with the fact of whether I need a 
5 special question on it, and you're both agreeing the answer is 
6 no. 


7 What's the name of that court case? 


8 MR. NEMTSEV: don't remember the name of it, but 


9 while we're going, I'll look it up. I'll find it for you. 


09:01 10 I don't think it's been argued yet. There was a piece 
11 on it in Law360 a couple weeks ago that explained it very well, 
12 laid out the issues. 


13 THE COURT: It's fascinating. 


14 MR. NEMTSEV: Yeah, it's a real weird one. I mean, 


15 there obviously would be collateral estoppel implications, 


16 maybe, by a special verdict. I don't know. It seems —-— 


17 THE CO : Is the jury here? 


18 THE CLERK: 


19 THE COURT: And was somebody going to ask that 
09:01 20 question for that juror? 


21 THE CLERK: Answer that question. 


22 THE COURT: I have the question. 


23 MR. KOSTO: I can take care of it, Your Honor. 
24 COURT: On redirect? 


25 » KOSTO? Sure. 


09:02 10 


09:02 20 


21 


22 


23 


24 


25 
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COURT: 


MR. NEMTSEV: 


MR. KOSTO: 


THE COURT: 


of browsers? 


MR. KOSTO: 


All right. I don't even understand it, 


What was the question, Your Honor? 


The question was: Is the browser -—-— 


Is user agent string just di 


fferent types 


Yes. I'm not answering the question, but 


that was the question. 


MR. NEMTSEV: 


could ask it, Judge. 


Could I write it down? 


THE COURT: 


don't understand 


want me to ask him to amplify it? 


MR. NEMTSEV: 


THE COURT: 


No, I'll ask the question as it is. 


What does it mean? 


MR. NEMTSEV: 


the little snippets, 


assume when the government put in 


there was browser data. I assume that's 


what he's asking about. So I'll ask the witness what that 


string means. 


THE COURT: 


All right. And how much longer do you 


have with the witness? 


MR. NEMTSEV: 


25 minutes. 


THE COURT: 


MR. KOSTO: 


THE COURT: 


Okay. And... 


No more than that, Your Honor. Probably 


fF it, depending on what the cross is. 


Okay. 
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1 MR. FERNICH: And the case is Smith -- unhelpfully, 


2 it's Smith v. United States. I don't have a docket number on 


3 it, but I'm sure somebody could find it pretty quick. 


4 THE CLERK: One quick question. 


5 (Discussion held off the record.) 


6 MR. FERNICH: Timothy Smith. 


7 THE COURT: So are you offering in the log 


8 their entirety? 


9 MR. NEMTSEV: "m going to ask him about the 


09:03 10 reliability of the log files. If he says they're reliable, 


11 then, yes. If he says no -- 


12 THE COURT: And then you're going to object as far as 


13 the reliability of those columns, and I will -- at this point, 


14 I will hold on that, and we'll wait to hear what various -- 


15 there are various forensic experts coming in who you can ask 


16 about it, and so I'll allow them in except for those, which 


17 I'll mark for identification. 


18 THE CLERK: Do you have a number for that, or you'll 


19 give it to me later? 
09:03 20 MR. KOSTO: Well, the log, in its entirety, is 


2] Exhibit 71. 


22 THE CLERK: I know. 


23 MR. KOSTO: But if we let in Exhibit 71, the 


24 geolocation information comes right in with it, which is why -- 


25 THE COURT: No, it doesn't. I just explained it 
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1 wasn't. I'm not going to allow -- I'm going to hold on the 


2 issue of geolocation. They're not going to be sitting here 


3 reading 71. So -- all right? I guarantee -—- 
4 MR. KOSTO: We'll prepare a version of it that redacts 
5 those columns. 


6 THE COURT: All right. And we'll see if somebody puts 


7 it in as reliable, and then you can put in -—- like, I don't 


8 even have any information that Microsoft relies on MaxMind. It 


9 would be of interest to me if somebody as -—- if a company as, 


09:04 10 don't know, big as Microsoft found it reliable. I didn't have 


11 that information before. 


12 MR. FERNICH: But, Judge, in the motion, when we took 


13 the position that the MaxMind evidence shouldn't be admissible 


on 


14 in the absence of an expert pro 


fer, Daubert-type proffer in 


15 advance, we cited two cases dealing with the Microsoft 


16 geolocation evidence by analogy. One was from the Western 


17 District of New York. I think one was from somewhere out in 


18 Minnesota. It's near the back of the motion. And in those 


19 cases, the judges took the exact approach that Your Honor was 


09:04 20 suggesting. If we proffer they let the evidence in. The 


21 proponent in that case, the government, just —- they just made 


22 the government put somebody on to say, you know, we used this 


23 and it's reliable enough, and it went to the jury. So that's 


24 what we're -- 


25 THE COURT: So if you get someone to say it, the 
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A government can put it in, and you can put it in. 


2 MR. FERNICH: Right. So I think Your Honor is 


Si it exactly in line with those two cases that we cited. 


4 THE COURT: I just wish I had dealt with it at 


5 front end rather than right now, but that is what it is. 


6 Is the jury here? 


7 THE CLERK: Yes. 


8 MR. FERNICH: The docket number of the Supreme 


9 case is 21-1576. 
09:05 10 THE COURT: Okay. Good. 


11 MR. KOSTO: Should I get Mr. Hartvigsen, Your Honor? 


12 THE COURT: Yes. Thank you. We're going to get the 


14 (Discussion held off the record.) 


15 MR. KOSTO: Your Honor, we did get a little feedback 


16 yesterday that the sidebars were guite audible. I don't know 


17 if we could have white noise or -- 


18 THE CO : Yeah, that sounds like a good idea. 


19 THE CLERK: All rise for the jury. 


09:07 20 (Jury enters.) 
21 THE COURT: Good morning to everyone. Thank 


22 much for showing up on time so we can get going right 


23 Did anyone speak about this case, see anything in the 


24 see anything on social media? All right. Thank you. 


25 complied with my instructions. We're going to finish 
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i think it's on the cross-examination. 
2 And were you going to start with that question from 


i) the juror? 


4 MR. NEMTSEV: was, Your Honor. 


5 THE COURT: All right. I wasn't sure I understood the 


6 ion, but he's going to try. If that's not the right 


7 ion, then you'll write it out again. Okay? 


8 JUROR: Yes. 


9 THE COURT: Go ahead. Please be seated. You're still 
09:08 10 under oath. 


11 DARON HARTVIGSEN, Previously sworn 


12 CONTINUED CROSS-EXAMINATION 


13 BY MR. NEMTSEV: 


14 O.. Good morning, Mr. Hartvigsen. 


15 A. Good morning. 


16 Q. So there's one question, and I believe this relates to the 


LS) snippets of log files that the government showed to you 


18 yesterday. 


19 A. Yes, sir. 


09:08 20 < And the question is: Are the user-agent strings just 


21 Lfferent types of browsers? 


22 A. The user-agent strings will document different types of 


23 browsers, yes. So if somebody uses a Firefox browser, it will 


24 show up different in the user-agent string, yes. 


25 oF And am I correct that in this instance, in almost all of 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 20 of 182 


1 the log files, you determined that a Chrome browser was used on 


2 a Windows laptop? 


3 A. There was different user-agent strings used across the 


4 logs. 


5 THE COURT: Here's my problem. I need to hear you. 


6 THE WITNESS: Oh, okay. 


7 THE COURT: So you're talking to him like a little 


8 private conversation. They're the audience. Me, secondary 


9 audience. But we all need to hear. All right? Thank you. 


09:09 10 THE WITNESS: Yes, ma'am. 


11 Ox So am I correct that most of the log files that you 


12 determined were potentially related to intrusions, that access 


13 was from a Windows computer and using a Chrome browser? 


14 2 I don't know if I would characterize it as "most." 


15 , But many? 


16 ; Many, maybe. 


Ly : Was that -—- 


18 : I'd have to look at my notes, but... 


19 : Do you have your notes with you? 


09:09 20 : No. 


21 : And these log files are very extensive, correct? 


22 2 Yes. 


23 : Going from about February of 2018 to August of 2020? 


24 : Correct. 


25 : For multiple users at DFI 
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al 7 Yes. 


2 : How were those log files created? 


3 : They were stored by the computers that created them. 
4 ‘ What system was used to create them? 


5 : Which log files are you referring to? 


6 : Let's -—- I'm going to ask you specifically about the Julia 


7 log files, for example. 


8 : Oh, okay. Yes. 


9 : Ms. Soma's log files, what system were those created by? 


09:10 10 : They were created by a Microsoft S server. 


11 ; S server. What is that? 


12 : Internet Information Services server. 


13 Microsoft logs applications on the Internet. 
14 Q. And these logs are created automatically by the server; if 


15 it senses an activity, it creates a log? 


16 A. Essentially, yes. 


17 Q. You didn't touch these log files, what you received is 


18 exactly what came from the Microsoft S server; is that 


19 Correct? 


09:11 20 A. We were provided those log files by DFIN, yes. 


21 Q. And you didn't manipulate the log files in any way, 


22 correct? 
23 A. No. 
24 Q. You didn't add any columns, you didn't subtract any 


25 columns. Whatever you received, that's what you relied on, 


09:12 10 
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correct? 


A. 


there were dif 


Ef 


Well, 


process. 


sorted them based on 


So when we received original 


IP; 


files, 


erent versions of the analysis 


log 


as an example. 


we may have 


Q. You may have sorted them and you may have used tools to 


analyze them, 


case came directly from the Microsoft 


the Julie Soma ActiveDisclosure 


columns, 


I believe, 


in those log 


£ 


S server, 


but the logs that you received and used in this 


correct? 


logs, 


yes. 


iles, 


related to 


there were two columns, 


IP geolocation. 


or three 


It states which 


11 IP was used by the Julia Soma account and what location that IP 


12 is associated with. 


13 Do you remember that? 
14 MR. KOSTO: Objection. 


15 THE COURT: Overruled. 


16 : What was the question? I'm sorry. 
17 : Within the Julia Soma log files —- 


18 : Okay. 


19 : -—- it shows Julia Soma's account connecting to DFIN's 


the Microsoft 


09:12 20 server, S server, through an IP address, 


21 correct? 


22 A. An 


IP address, yes. 


23 QO. 


Additionally, 


there are two columns or three columns that 


24 show that this IP address was associated with this city name, 


25 this state, this country; is that correct? 
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1 : There were yes, there were lines in the logs that had 


3 ‘ You didn't touch those lines, correct? 


4 : I didn't add those attributes, no. 


5 Q. Those came automatically from the Microsof 


6 correct? 


7 A. I believe so. 


8 Q. Do you believe that the Microsof S system is reliable? 


9 THE COURT: Is what? 


09:13 10 MR. NEMTSEV: Reliable. 


11 MR. KOSTO: Objection. 
12 THE COURT: Do you know one way or another? 


13 THE WITNESS: I do not. 


14 . So you don't know whether these log files are reliable? 


15 MR. KOSTO: Objection, asked and answered. 


16 THE COURT: Sustained. Ask about that information. 


17 MR. NEMTSEV: "m sorry, Your Honor, the IP 


18 geolocation? 


19 THE COURT: Yes. 


09:13 20 : Do you know where Microsoft obtained that geolocation 
21 


22 2 I do not. 


23 : Do you believe that Microsoft typically uses reliable 


24 sources? 


25 MR. KOSTO: Objection, foundation. 
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1 THE COURT: Sustained. 


2 MR. NEMTSEV: ‘ll move on. 


3 QO. The last time we left off, I believe we spoke about the 


4 fact that your investigation started after DFIN received an Sl 


5 subpoena; is that correct? 


6 A. 


7 Q. And the employee that you first focused on was Julia Soma, 
8 is that correct? 
9 A. 

09:14 10 Ou And who told you to focus on that employee? 


11 A. DFIN's lawyers. That was the first lead that we had that 


12 there was unauthorized activity. 


13 Q. And did DFIN's attorneys point you specifically to 
14 Ms. Soma? 
15 MR. KOSTO: Objection, Your Honor, to the privileged 


16 communications. 


17 THE COURT: Well, I'm not sure that it is. Overruled. 


18 Who are you? 


19 MR. BUCK: Your Honor, I'm an attorney for DFI 
09:14 20 Communications —- 


21 THE COURT: Are you objecting? 


22 MR. BUCK: I am objecting, Your Honor. I would object 
23 to communications —-— 


24 THE COURT: Well -- 


25 MR. NEMTSEV: This shouldn't be done in front of the 
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2 THE COURT: This shouldn't be done like this. You 


3 should have introduced yourself to me. 


4 I'll allow the general topic of whether they pointed 


5 you to a certain location. 


6 BY MR. NEMTSEV: 


7 Q. Did DFIN point you to a certain location? And by this 


8 location, I mean Julia Soma's account. 


9 THE COURT: Don't tell him what exactly they said 


09:15 10 about it, but did they focus you on that account? 


11 THE WITNESS: Yes. 


12 THE COURT: All right. Next question. 


13 : Have you ever met Ms. Soma? 


14 . Have I ever met Ms. Soma? 


15 , Yes. 
16 : We met over phone. 
ay ‘ Understood. 


18 And what kind of access did Ms. Soma's account have 


19 compared to, potentially, other employees at DFIN? 
09:15 20 : you be more specific? 


21 : there anything specific about Ms. Soma's account 


22 compared to other accounts in the ActiveDisclosure system? 


23 A. Oh. So, yes, we uncovered unauthorized activity on her 
24 account. 


25 Q. you uncovered it by looking at what? 
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1 A. At -- looking at logs, interviewing her about her 


2 activity, those kinds of things. 


3 ‘ Did Ms. Soma have an administrative account? 


4 : Did she have an administrator account for what? 


bs s For ActiveDisclosure? 


6 : No, not that I know of. 


7 . Did Ms. Soma's account have full access to all of the 


8 companies that were serviced by DFIN in ActiveDisclosure? 


9 A. She had broad access, yes. 
09:16 10 THE COURT: ActiveDisclosure is what again, to remind 
11 the jury? 


12 THE WITNESS: Sorry. ActiveDisclosure is the -- it's 


13 software that DFIN provides clients that allows them to 


14 collaborate. Public companies can put information in 


15 ActiveDisclosure and then use that to report performance and 


16 other data to SEC and others. 


17 Q. And do you know how many companies were serviced by the 


18 ActiveDisclosure system? 


19 A. I do not. 


09:17 20 Q. Do you know how many companies, for example, Ms. Soma's 


21 account accessed during the relevant time period? 


22 A. Not off the top of my head, no. 


23 O. More than a hundred? 


24 A. I can't answer. 


25 Q. You also obtained access to all of Ms. Soma's other 
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] electronic devices; is that correct? 


2 A. That's a -- can you define electronic devices? 


3 Q. You, for example, got access to her work computer; is that 


4 correct? 


5 : We collected her DFIN computer, yes. 


6 ‘ You also collected her personal laptop, correct? 


7 F That, I don't recall. 


8 MR. NEMTSEV: Your Honor, can I just show the witness 


9 a document, potentially, through this? 


09:18 10 THE CLERK: Judge, he's going to have to hand it to 


‘lal him. He can't just put it on the document camera. 


12 THE COURT: Just show it to him. 


13 THE WITNESS: Okay. 


14 Q. Does that refresh your recollection as to what devices you 


15 collected from Ms. Soma? 


16 A. Yes, it does. 


ay Q. So it was her work laptop, her personal laptop, and an 


18 additional device; is that correct? 


19 : . It says DFIN laptop, mobile device, and personal 
09:18 20 
21 . KOSTO: Your Honor, if the witness is refreshed, 


22 the document is ordinarily taken away. 


23 MR. FERNICH: I'll get it from him. 


24 THE COURT: Keep going, keep asking. I don't want to 


25 slow this down. 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 28 of 182 


1 Q. And you reviewed all of her activity on her mobile device, 
2 on her work laptop, her personal laptop, correct? 


3 A. Our team did, yes. 


4 O.. Extensive searches trying to determine whether there was 


5 any malware on her computers? 
6 : That's correct. 


7 ; Did you find any malware? 


8 : No, we found no malware. 


9 : You also reviewed the electronic devices of 
09:19 10 employees; is that correct? 
11 A. That's correct. 
12 Q. There was an employee by the name of Ms. Han; is that 
13 correct? 
14 A. Yes. 
LS , Mr. Lewis? 


16 : Correct. 


17 : A Ms. Guevara, if I'm saying that correctly? 


18 ‘ I'm not sure how to pronounce her name. 


19 : A Mr. Storino; is that correct? 


09:20 20 : I'd have to refresh my memory on that one. 


21 MR. NEMTSEV: Could I put that document in 


22 him again, Your Honor? 


23 THE COURT: Is this essential? 


24 MR. NEMTSEV: No, I could move on. 


25 : But you also focused your investigation on two employees 


09:20 10 


09:21 20 


21 


22 


23 


24 


25 
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from the UK; 


Poland; 


And another UK employee by the name of Nasreen Gaff 


That name, 


focused on two —-— 


is that correct? 


on laptops that were in the UK. 


laptop belonged to Mark Rumbelow, correct? 


[ believe that's accurate. 


don't recall. 


You also focused your investigation on an employee from 


On a laptop 


A Ms. Uryga, 


I'm not sure 


And you found no 


We found renamed 


is that correct? 


from Poland, yes. 


if I'm pronouncing it correctly? 


how to pronounce her name. 


and systems in the UK. 


Q. 


you 


UK-related laptop, correct 


Aue 


malware on any of these devices, correct? 


versions of PowerShell on a Poland system 


And systems in the UK. 


So that's where you focused your investigation, because 


You focused yo 


ted in the UK 


ted some activil 


don't know 


don't unders 


1 


found something potent 


tially in the Polish laptop and the 


? 


tand that question. 
ur investigation, in part, on the employees 


the employee located in Poland because you 


ty that came from Poland and came from the 


if I'd say focused our investigation, but we 


detected renamed versions of PowerShell on systems in the UK 
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al. and Poland. 


2 Q. And Ms. Han, she was an employee of IN that worked in 
3 South Korea, correct? 


4 A. Yes. 


5 Q. And as part of your request to her, you asked her to send 


6 her laptop from South Korea to Washington, D.C.; is that 
7 correct? 

8 A. That is accurate, yes. 

9 Q. And that laptop never made it to Washington, D.C., 


09:22 10 correct? 


11 : It eventually did make it. 


12 : But it was lost for some time in Poland, correct? 


13 : It was actually lost in, believe, the DHL cent 


14 ; Thank you. 


15 Now, this PowerShell activity that you found emanating 


16 from Poland and the UK, there was a modification date to the 
17 PowerShell; is that correct? 


18 A. Yes. 


19 Q. And when was that PowerShell modified, or the modification 
09:22 20 date? 


21 A. So one of them was September of 2017, and the other one 


22 I believe, November of 2019. 


23 Q. And your testimony, I believe on direct, was tha 


24 intrusions occurred from February of 2018 to August of 


25 COrrect? 
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i MR. KOSTO: Objection. 
2 THE COURT: Overruled. 
3 A. What was the question? 


4 Q. Your testimony on direct examination was that the 


5 intrusions occurred from February of 2018 to August of 


6 that correct? 


7 A. I said we had logs from the 5th of February 2018, and the 


8 last we observed them in the systems was August of 2020. 


9 Q. So there's potential that there were intrusions based on 


09:23 10 your review of all the forensic evidence prior to February of 


11 2018; is that correct? 


12 A. We only had logs that were available that were -—- that 


13 were detailed enough to go back to February 5th of 2018. 


14 Q. So you can't exclude that there were intrusions in 2017, 


15 2016, 2015, correct? 


16 A. I can't say one way or the other. 


17 Q. In these log files, specifically Mr. Soma and Ms. Han, 


18 you've located a number of suspicious IP addresses, correct? 


09:24 20 : I believe that number was 110, based on what 
21 read; is that correct? 
22 A. That sounds accurate. 
23 Q. And those -- 
24 THE COURT: So there were 110 what? Just project it 


25 out. What were there 110 of? 


09:25 10 


09:25 20 


21 


22 


23 


24 


25 
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IP addresses, 


THE COURT: 


THE W 


looked at the logs, 


that were not consistent with Ms. 


And those 110 


Lfferent Internet 


ITNESS: 


correct? 


No, what are you saying -—- 110 what? 


Suspicious IP addresses. So when we 


there was roughly 100 or so IP addresses 


Soma's normal use. 


with 26 


IP addresses were associated 


correct? 


That, 


don't 
Q. 
provider, correct? 


THE COURT 


was the number of 


THE WITNESS: 


service providers associated with those 


More than one 


Yes. 


They were associated with more than just one 


service providers, 


recall. 


: Give us a ballpark. What do you remember 


Internet service providers? 


don't recall the number of 


IPs. 


7 


More than five? 


YES: 


THE COURT 


THE WITNESS: 


: More than ten? 


That, don't recall. 


MR. NEMTS 


EV: Your Honor, could I refresh the 


witness's memory? 


THE COURT 


: Yes. 


MR. NEMTS 


THE WITNESS: 


EV: Thank you. 


Okay. 


09:27 10 


09:27 20 


21 


22 


23 


24 


25 
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Q. 


MR. NEMTSEV: Could you set it aside? Thank you. 


Does that refresh your recollection? 


It does. 


So there were 110 IP addresses associated with 26 Internet 


ce providers, correct? 


YES. 


And what is an Internet service provider? 


It is an organization or an entity that will provide 


Internet access, kind of like Google or the like. 


And it wasn't exclusively AirVPN IPs that were located, 


correct? 


A. 


Q. 


We were focused on VPN connections. 


VPN connections, but AirVPN would be the ISP; 


correct? 


A. 


AirVPN was a VPN connection that we saw. 


And if you checked, would AirVPN show up as an ISP? 


It would show up as the origin of that connection. 
So in that list of 26 -—- 


THE COURT: Could you just -- so they can understand 


NEMTSEV: Sure. 


THE COURT: So is a VPN an Internet service provider? 


THE WITNESS: A VPN provider is a -- is a service that 


focuses on a private network. An Internet service provider can 


be much broader than just providing VPN services or virtual -- 


09:28 10 
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THE COURT: VPN service provider is a subset --— 


THE W 


ITNESS: It can be, yes. 


THE COURT: —- of an Internet service provider; is 


that right? It's a kind of Internet service provider; is that 


right? 


THE W 


ITNESS: Yes. Exactly. 


THE COURT: So when you said 26, does that include VPN 


providers? 


THE WI] 


09:28 20 


21 


22 


23 


24 


25 


So AirVPN 


Yes. 


[TNESS: Yes. 


BY MR. NEMTSEV: 


is just one of the 26 that you found, correct? 


Others that you found were Datapipe; is that correct? 


Yes). 


Quintex? 


Mm-hmm, yes. 


Highwind Network Group? 


Highwinds, yeah. 


believe 


Korea Telecommunications? 


That one 


And would 


I'm not recalling as a VPN service. 


you agree that a VPN -- I'm sorry. Strike that. 


THE COURT: So everything he just said, are those 


THE WI] 


provider being 


[TNESS: I don't recall the Korea service 


a VEN, but... 
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al. - But all the other ones were VPNs? 


2 ‘ I believe so. 


IP address, it's not the 


3 Q. And would you agree that an 


4 equivalent of, let's say, a Social Security number? 


5 A. I would agree that it's not the equivalent of a Social 


6 Security number. 
7 Q. Correct, because a Social Security number is one number 


8 that attaches to one person for the life of that person, 


9 correct? More or less. You could obviously make changes, but 


09:29 10 more or less, it's one number associated with one person for 


11 the remainder of their life? 


12 A. Sure. 


13 Q. And an IP address is consistently changing. You can log 


14 in with one IP address today. You can log in with a different 


is) [P address tomorrow, correct? 


16 A. Depending on your service provider and the connection that 


LS) you have. 


18 THE COURT: So if you take one Internet service 


19 provider -- it's a company, right? It's an organization or a 
09:30 20 company, right? 


21 THE WITNESS: So some companies can maintain ownership 


22 of IPs over time. So like AT&T, they own IP space, and they 


23 have that IP space over time. 


24 THE COURT: But what about others? 


25 THE WITNESS: In the case of a VPN, the design of a 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 36 of 182 


IP addresses 


1 VPN is actually to obfuscate the origins so the 


2 are not necessarily the same. 


Si THE COURT: So does a VPN move it from physical 


4 location to physical location? 


5 THE WITNESS: Physical location wasn't part of our 


6 analysis. We didn't associate that with tracking these actors. 


7 THE COURT: So you just tracked the service provider 


8 but not the location of where the server was? 


9 THE WITNESS: The IP address associated -- and where 


09:31 10 that was registered and who that was registered to. 
11 THE COURT: You did or didn't? 


12 THE WITNESS: We tracked the IP address and where that 


13 was registered to at the time. 
14 THE COURT: Go ahead. 


15 BY MR. NEMTSEV: 


16 Q. Would you agree, especially in connection with the VPNs, 


LS) and potentially maybe with AT&T, that ten people, a hundred 


18 people could be using an IP address at the same time? 


19 A. There could be multiple users on an IP, or there could be 


09:32 20 one. 


21 Q. But in the case of VPNs, which are specifically designed 


£ 


22 to aggregate Internet traffic, it's much more likely, wouldn't 


23 you say, that there are multiple users from various parts of 


24 the world, potentially, using one IP address, correct? 


25 A. I don't know about much more likely. In our case, we saw 
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1 VPN activity to the DFIN network, but we didn't do analysis on 


2 how many, you know, potential users from that VPN might be -- 


3 Q. Let me ask a different -- what cell phone provider do you 


5 : I'm sorry? 


6 ‘ What cell phone provider do you use? 


7 F Do I use? 


8 : Yes. 


9 . AT&T. 


09:32 10 : I use AT&T as well. If you and I both connect to the 


11 Internet right now using our AT&T data, both you and I would 


12 have the same IP address, correct? 
13 MR. KOSTO: Objection. 


14 THE COURT: If you know. 


15 A. IT actually do not know if that would be the case. 


16 Q. Okay. So based on all of your investigation, the twelve 


ay people that assisted you, the review of multiple personal, 


18 business electronic devices, were you able to determine who 


19 intruded into DFIN's system? 
09:33 20 A. Who or -—- are you asking about, like, a person? 
21 Q. Yeah. Was it one person? Was it ten people? Was it a 


22 hundred people? Was it a million people? 


23 A. We were able to determine that there was specific 


24 doing specific things, accessing specific users on DFIN's 


25 network. 
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1 Q. But you weren't able to determine who -- if it was 110, a 


2 million people on the other side of the keyboard using those 


3 IPs, correct? 


4 A. We saw —- or -—- and we documented the use of IPs and the 


5 access to DFIN's users. That type of analysis wasn't part of 
6 our work. 


7 Q. So you weren't able to identify a single intruder or a 


8 group of intruders, correct? That wasn't your analysis? 


9 A. I'm not sure I understand the question. 


09:34 10 THE COURT: Do you know who the intruders were? 


11 THE WITNESS: We know a lot about the intruders and 


12 what they did. What their names were? That wasn't part of the 


13 information that was collected by DFIN logs or -- 


14 Q. And based on all the information that you collected { 


15 DFIN's logs, you have no idea whether any intrusion is 
16 connected to Russia or not, correct? 


17 A. That wasn't an analysis that we did. 


18 MR. NEMTSEV: Nothing further, Your Honor. 


19 REDIRECT EXAMINATION 


09:35 20 BY MR. KOSTO: 
21 Or. Good morning, Mr. Hartvigsen. 


22 A. Good morning. 


23 OQ. Mr. Nemtsev asked you about approximately 26 IP 


24 addresses —- or, excuse me, a hundred or so IP addresses from 


25 approximately 26 providers, correct? 
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2 Q. And several of those providers were private, virtual 
3 private networks, correct? 


4 A. 


5 Q. And among them, what was the provider that featured most 


6 prominently in your analysis of that group? 


7 A. AirVPN was very common in our analysis. 


8 Q. And Mr. Nemtsev asked you if there were one, ten, a 


9 hundred different users who might be accessing the network over 


09:36 10 a given IP address, correct? 


12 ‘ Even where Ankura saw activity coming from different 


13 addresses, what was common about what was happening on DFI 


£ 


14 network, regardless of which IP address it came from? 


15 A. What was common was that the actors were logging into 


16 Julie Soma's account or Ms. Han's account or Mr. Lewis's 


Ly account. 


18 Q. And what kinds of information was being taken from Mr. Han 


19 or Mr. Lewis or Ms. Soma's account regardless of the IP that it 


09:36 20 came from? 


21 A. It was information from public companies from 


22 ActiveDisclosure. 


23 OC. And what times of day, relative to those employees' shift, 


24 was the information coming out regardless of what IP it came 


25 from? 
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1. A. It was usually during times of day when those users were 


2 not typically at work. 


3 Q. And regardless of which IP it came from, was the 


4 information taken consistent with the employees' usage of 


5 machines in their jobs? 


6 A. That was one of the indicators where in some cases much 


7 more was taken over time than usual, as an example. 


8 : I that indicator that you've described was true as to 


9 P 3, IP 4, and so on? 
09:37 10 


11 Ox What did the fact that all of the different IP addresses 


12 were doing essentially the same thing cause you to believe 


13 about the attacker or adversary? 


14 A. That the adversary was after -—- 


15 HE WITNESS: I'm sorry. 


16 HE COURT: You can answer. 


17 A. That the adversary was after the same information. 


18 Q. And if the adversary was after the same information, what 


19 does that cause you to believe about the person or persons who 


09:38 20 was intruding on DFIN's network? 


21 A. That the totality of the activity was the same person or 
22 group. 


23 MR. KOSTO: Nothing further, Your Honor. 


24 MR. NEMTSEV: Nothing further. 


25 THE COURT: Thank you. Sir, you may step down. 


09:39 10 


09:39 20 


21 


22 


23 


24 


25 
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WITNESS: Thank you. 


COURT: Your 


KOSTO: The United St 


CLERK: Sir, 


BRYAN GARABO, 


record. 


G-a-r-a-b, as in boy, -o. 


: WITNESS: Sure. 


next witness. 


tates calls Bryan Garabo. 


could you raise your right hand. 


THE CLERK: Thank you. 


sworn 


CLERK: Could you please state and spell your last 


Bryan, B-r-y-a-n, Garabo, 


MR. KOSTO: You can have a seat, Mr. Garabo. Do mea 


favor and pull that microphone right up to you. 


BY MR. KOSTO: 


Q. 
the same, 


A. 


And 


okay? 


Okay. 


That 


What 


New 


Any 


MR. KOSTO: May 


THE COURT: Yes, 


Do I have it right, Mr. 


"S correct. 


city do you work in, 


Jersey. 


particular city? 


DIRI 


ECT EXAM 


NATION 


please. 


Hillsdale, New Jersey. 


I'll do my best to keep my voice up if you would do 


I proceed, Your Honor? 


Garabo, is that the pronunciation? 


sir? 
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1 ‘ And where do you work? 


2 ‘ For Donnelley Financial Solutions. 


3 : What do you call Donnelley Financial Solutions for short? 


4 : DFIN. 


5 : How long have you been at DFIN? 


6 : I've been at Donnelley for nearly 40 years. Six years at 


7 DFIN since we spun out. 


8 : When you say spun out, what was DFIN called before it 


9 became DFIN? 


09:40 10 : R.R. Donnelley. 


11 ‘ And so you started with R.R. Donnelley back when? 


12 : In the early '80s. 


13 F You're a lifer? 


14 . Yes. 


15 : What's your title there? 


16 : Senior vice president of service. 


17 : And let me direct you to the period of 2018, 2019, and 


18 Okay? What was your position then? 


19 : Senior vice president of service. 


09:40 20 : And what was the senior vice president of service 


21 responsible for in that window? All my questions will be about 


22 2018, '19, and '20. 


23 A. Understood. During that time, I was responsible for what 


24 we call our traditional business and our software business. 


25 Q. Can you say a word about what the traditional business is 
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1 first? 


2 A. Sure. The traditional business is a business where 


3 clients will send us their requests and we do all the work for 
4 them. They have no access to any information once we put it on 
5 our system until we send it back. 

6 Q. Where do you send it once you've gotten it physically? 


7 A. Once we receive their request, we would process it 


8 internally on our systems and then send it back to the clients 


9 when completed. 


09:41 10 Q. And does that traditional business involve 


11 ActiveDisclosure at all? 


12 A. Tt doesn't involve ActiveDisclosure, but what we do in the 


13 traditional side of the business is what is replicated in 


14 ActiveDisclosure. 


15 Q. So the traditional business still involves filing 


16 financial reports, just not through the software? 


Ly A. Correct. 


18 0. Okay. So what is the software business? 


£ 


tware built to allow the clients 


19 A. ActiveDisclosure is a so 


09:42 20 to do all the work. It's a self-service SaaS solution. 


21 Ox. And does DFIN work with any particular industry for its 


22 ActiveDisclosure business? 


23 A. Corporations. 


24 OQ. Does it work in any particular marketplace? Oil and gas 


25 versus e-commerce? 


09:42 10 


09:43 20 


21 


22 


23 


24 


25 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 44 of 182 


know, I would say all corporations. 


How about the size of those companies? Big, small, and in 


between? What's the —- 


All different sizes. 


How many employees worked in the ActiveDisclosure business 


were supervising it? 


Say approximately a hundred. 


where are those employees located? 


They're scattered out across the world. 


Why across the 


Sure. We're a 


world if DFIN is a U.S. company? 


globally -- a global company. We have 


businesses and employees in London, in APAC, Canada, so not 


just specifically in the U.S. 


What do companies in those countries need of a business 


helps file things with the SEC? 


documents that have 


If there are regulations that they need to file with 


to go through the SEC, we would support 


them in that process. 


Q. And what was your role specifically with respect to the 


software business? 


A. I would oversee the business to make sure that once the 


jobs were sold, that 


clients in the way 


t our service team was supporting the 


that we are expected to support them. 


£ 


Q. Are you familiar with the different kinds of filings that 


are handled through 


the ActiveDisclosure system? 
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al ; Yes. 


2 : Can you explain to the jury briefly what a Form 10-K is? 


3 ; Sure. All public companies need to file their financials 


4 once a year, and that would be incorporated in the 10-K. Soa 


5 yearly filing with the SEC. 


6 : And is there a deadline associated with that filing? 


8 Q. How long —- how long after the end of the year do the 


9 companies have to put it on file? 
09:44 10 A. Typically around the end of March. 
11 Q. How about a Form 10-Q? 


12 A. Similar to the 10-K, it's smaller and it's done ona 


13 quarterly basis with financials and filed with the SEC. 


14 Q. Are there similar kinds of information in the Forms 10-K 
15 and 10-Q? 
16 ‘ Yes. 


17 : How would you describe it to a layperson? 


18 : The financials of the company. 


19 2 How do those two forms differ from a Form 8-K? A 


09:44 20 ifferent number here. 


21 A. An 8-K is another filing type that is used to file 


22 different types of documents. It may include some financials, 


23 but not necessarily. 


24 Q. Do Forms 8-K take place on that same guarterly or annual 


25 calendar cycle? 
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1 A. Typically, there's an 8-K earnings release that comes 


£ 


2 prior to the actual filings. 


3 Q. When are other times that Forms 8-K can show up? 


4 A. Sure. If the company has an announcement to make, if 


5 they're changing anything within the company that the public 


6 needs to know, those 8-Ks are filed. 
7 Q. How about something like a change in leadership at the 


8 company? 


9 : Sure. That would be a reason to file an 8-K. 
09:45 10 : Or the decision to sell a part of a business? 
11 : That would be another reason, yes. 
12 : One last one for you. What is an Exhibit 99? 
13 : An Exhibit 99 is an exhibit that's filed, and it's kind of 


14 a catchall exhibit for corporations to put in, you know, 


LS different types of documents that they need to file with the 


16 SEC. 


17 Q. Can you contrast for the jury what's in the form, the 8-K, 


18 the 10-K, the 10-0, versus what's in the exhibit, the 


19 Exhibit 99? 


09:45 20 A. Sure. The biggest contrast would be in the basis of 


21 the -—- the Ks and the Qs are all the financials, and the 


22 exhibits are ancillary documents to support the filing o! 


23 or the Q. 


24 Q. Where would the press releases that described the 


25 financial performance of the company show up? 
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1. : Once they're filed? 
2 ‘ Where within the 10-K or 


3 ‘ In the exhibits. 


4 ‘ In the Exhibit 99? 


3 ‘ Yes. 


6 : When DFIN has filing information, before it gets to the 


7 ! does the public know about that information? 


8 ‘ No, sir. 


9 : And at that time, when that information is in DFI 


09:46 10 possession, how does DFIN treat it? 


11 A. Confidential information. 


12 Q. Are you familiar with policies at DFIN regarding the 


£ 


client information? 


13 confidentiality o 


14 A. Yes. Each year employees need to sign off on a 


LS confidentiality agreement so they understand the business and 
16 the dos and the don'ts. 


Ly QO. And what are the don'ts? 


18 A. You can't speak about or use any confidential information. 


19 It's just there for us to process. 


09:47 20 Q. Does DFIN have policies around trading based on that kind 


21 of information? 


22 A. Yes. You can't. 


23 QO. What do your employees, the employees that you supervise 


24 in the service organization, do back in that time period? 


25 A. Sure. There's different parts of the service 
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1 organization. One part is the implementation team. That's a 


2 team used to train the clients on the software and make sure 


i) they're getting up and running and understanding the software 


4 and being there for technical support moving forward. There's 


5 also a full technical support team that supports the clients if 


6 they have any technical issues with the software itself. And 


7 then there's a service team that kind of oversees the projects 


8 to make sure that the clients are indeed moving in the software 


9 the way they should. 


09:48 10 O. You mentioned technical employees. Can you explain, not 


‘lal too deeply, but what's the technical piece to a bunch of words 


12 and numbers on a page? 


13 A. Sure. It's less about the words and numbers on the page, 


14 but how the system is performing. If there are certain buttons 


15 that aren't working in the software, they would call the 


16 technical support team just to see what -- and troubleshoot why 


17 that's happening. 


18 ‘ Are you familiar with the term "XBRL"? 


19 Yes. 


09:48 20 : And what is that? 


21 : It's a tagging process that we go through for public 


£ 


ic information in documents. 


22 companies that tags speci 


23 Q. Is that a form of information that the SEC is expecting to 


24 receive from companies when they make public filings? 


25 A. Yes, it's a requirement. 


09:49 10 


And what happens if a DFI] 


The 
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[IN client's XBRL isn't correct? 


filing wouldn't go through. 


And so the technical employees you're describing do what? 


Sure. 


the XBRL tagging is correct. 


On that side of the business, 


they would make sure 


Do all of these employees that you've described who work 


in your organization have access to the ActiveDisclosure 


network? 
A. 
And how do they obtain 


Through their personal 


acCess 


in the course of their jobs? 


log-in information. 


Q. In 2018, 


‘19, and '20, 


require a password as well? 


09:49 20 


21 


22 


23 


24 


25 


A. Yes. 
Q. And for clients -- for 


how broad was their access? 


A. They had access to all 


did access to ActiveDisclosure 


employees who supported clients, 


client projects. 


Ox Could you explain -- have you been in ActiveDisclosure 


yourself at the time? 


A. I have not. You know, 


supporting clients. 


Yes. 


When you put your username and log-in password in, 


pops up? 


But did you ever log in? 


I was not logged in or, 


you know, 


Just the team that supports them. 


what 


Just so the jury can sort of have a picture in their 
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1 head of what an employee might see. 


2 A. Sure. Once they get in, they're in the portal of 


3 ActiveDisclosure, the software itself. 


4 OQ. And how are the clients! information organized within that 


5 portal? 


6 : It's specific to each client and each project. 


7 . I don't know if American Airlines is a client, but i 


8 wanted to find the American Airlines information, what would I 


9 have to do? 


09:50 10 A. The employee, I believe, would have specific, you know, 


1] information to get into that project. But once they log into 


12 the software, they were able to access all documents that we 


13 service. 


14 ; Is each project stored separately by company client? 


15 : Yes. 


16 ‘ Do you know of an individual named Hyeyoung Han, H-a-n? 


Ly 7 Yes. 


18 2 Who is she? 


19 : She works on the operations team on the eXBureau side of 
09:51 20 the platform. 

21 : She's one of those technical folks? 

22 : Yes. 


23 : How about Jason Lewis? 


24 ‘ Yes. Jason Lewis is an ActiveDisclosure salesperson. 


25 : So he sells the software to potential clients? 
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1 : Yes. 
2 ‘ And then lastly, do you know of a Julie Soma? 
S ; Yes. 


4 : And what is her role, 2018, 2019, and 2020, at DFIN? 


5 : During that time, she was likely an implementation 


6 itect. She switched roles, so —- but implementation 


7 itect. She would be the one setting up clients and getting 


8 up and running in ActiveDisclosure. 
9 : A person who supports clients' work? 


09:51 10 : Correct. 


Li MR. KOSTO: No further guestions, Your Honor. 
12 THE COURT: Thank you. 


13 Any questions? 


14 CROSS-EXAM 


15 BY MR. FERNICH: 


16 Q. Good morning, Mr. Garabo. My name is Fernich, and I'ma 


ay lawyer for Mr. Klyushin over there. We don't know each other, 


18 do we, sir? 


19 - No, sir. 


09:52 20 : We've never met or spoken, have we? 


21 : No; Sir. 

22 ‘ Sir, you spoke with the government back on January 10th. 
23 Sound about right? 

24 A. Approximately. 


25 Q. Yeah. Have you spoken with the government since then? 


09:53 10 


09:53 20 


21 


22 


23 


24 


25 
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Yes. 
You have? When was the last time 


The other day. 


The other day. 


3=52 


you spoke with them? 


And if you know, did you speak with these prosecutors 


right here? 


Yes. 


And maybe an F agent, government 


I'm not too sure who else was in 
No worries. 
They asked you some questions? 


Correct. 


t agent, do you know? 


the room. 


And you gave them some answers, yeah? 


COrrect.. 
All to prepare for your testimony 
Yes. 


And I didn't catch the exact date 


working for Donnelley or a predecessor 


that correct? 
A. "84, 
Sorry. 
That's okay. 
Almost 40 years, yeah? 


Yes. 


here today in court? 


. You told us you'd been 


Since around 1988; is 


And you're a lifer, like my friend Mr. Kosto put it, yeah? 


09:53 10 
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I've been there 40 years, for -- close to 40 years. 


And what did you say, Hilldale, New Jersey? 


Hillsdal 


Oh, Hill 


Okay. Have you ever testified in court be! 


Cis 


lsdale. Where is that, what county? 


It's North Jersey. Bergen County. 


No, sir. 


Okay. Certainly, then, never had to testift Donnelley 


in your adult life tenure there? 


A. No, sir, I have not. 


Q. Turning 


us on direct 


back to the period of 2018 through '20, you told 


that Donnelley handled or had access to sensitive 


financial information; is that correct? 


A. That is 


Q. And you 


correct. 


also told us that it was important to keep that 


information confidential, right? 


09:54 20 


21 


22 


23 


24 


25 


A. Correct. 


Q. And it was so important that the employees had to sign 


confidentiality agreements and were given primers on 


fidentiality policies? 


Yes. 


Did you 


Yes. 


have to sign one of those too? 


And all 


of this is because Donnelley had fiduciary 


responsibilities to its clients; is that right? 
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1. A. That is right. 


2 Q. And speaking of clients, fair to say that Donnelley had 


3 around 300 employees dedicated to client service? Not 


4 necessarily through the AD system, but 300 in total? 


5 A. Yeah, I would say during that time, approximately. 


6 Q. Right. And those 300 employees were located all over the 
7 world? 
8 A. Correct. 


9 Q. Right. And you told us with respect to the 


09:55 10 ActiveDisclosure system -—- I may lapse into it calling AD. We 


1] lawyers abbreviate things there were about 100 employees 


12 using AD at the time? 


13 : Approximately. 


14 ; And they too were located all over the world? 


15 : Correct. 


16 : And you told us, your word, I think, that the folks using 


1] D had "broad access" to client information; is that correct? 


18 ; They had access to client information. 


19 Q. Right. Do you know any customer service employees located 
09:55 20 in Russia? 


21 A. I do not. 


22 Q. Now, in fact, Mr. Garabo, some 1,600 Donnelley employees 


23 and vendors had accounts with access to the DFIN computer 


24 network back then. Does that make sense? 


25 A. I couldn't confirm that number, no. 
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i : Well, you worked there for 40 years, yeah? 


3 O:. A great many employees and vendors? I mean, that's a 


4 subjective term. 


5 A. Yes. Certainly a lot of employees. 


6 Q. Fair enough. 
7 Now, as of February 2020 -- you know what multifactor 


8 authentication is? 


9 A. Yes, I do. 
09:56 10 Ox Okay. That's where you use —-- you know, when you get 
11 something from a bank, maybe they'll send you a code that you 
12 have to text in to make sure you're the account holder? 


13 A. Yes. 


14 Q. Back in 2020, DFIN -—- none of the accounts for the 


LS employees or the clients required multifactor authentication 


16 back then to gain access; is that right? 


17 A. During that time, 2020, I would say, you know -—- 


18 so. The timeline, you know, would be a little bit uncl 


19 exactly the time that we rolled that out. 


09:57 20 Q. Right. You believed they didn't require multifactor 


21 authentication back then; is that correct? 
22 A. Correct. 


23 Q. Right. And you told us on direct that -- at least I think 


24 you said, about the AD people, they'd access it by uSing a 


25 simple username and password combination? 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 56 of 182 


1 A. Yes, username and password. 
2 Ox Right. So there was, like, no special security code or 


3 enhanced security measures, nothing like that? 


4 A. On ActiveDisclosure, during that time, no. 


5 QO. And you know —- maybe you do, maybe you don't -—- that back 


6 in February of 2020, Donnelley was considering at that time 


7 rolling out multifactor authentication in the future? 


8 A. I do know at some point in time whether it was, you 
9 know, February of 2020 -- that we were rolling that out. 
09:57 10 O. Fair enough. 


11 The folks -—- well, strike it. 


12 The client service employees, they had mobile devices, to 


13 your knowledge, mobile cell phones? 


14 A. Yes. 


15 Q. Okay. And those devices were smartphones that would have 


16 access to the Internet, presumably? 
Ay A. Presumably, yes. 


18 Q. And some of Donnelley's client service employees, the 100, 


19 300 or so, some of them were located in South Korea; is that 
09:58 20 right? 


21 A. Correct. There's an employee or two in that -- 


22 Q. Yeah. And I'm going to mess up this name, so I'm -—- Han. 


23 How about Han, does that work? 


24 A. Yeah, if it's the same person t was referenced earlier. 


25 Q. Yeah. Yeah. And do you know t one of the employees, 
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1 Han's laptop, was lost in transit with DHL from South Korea to 


2 the Washington, D.C. area? 


3 : I'm not aware. 


4 ‘ You hadn't heard that? All right. 


5 To your knowledge, did DFIN employees use a suite of 


6 online collaboration and productivity tools called G Suite? 


7 A. I'm not familiar with G Suite. 


8 Q. Fair enough. 


9 And besides employees and vendors, you told us, 


09:59 10 that DFIN clients could participate and collaborate in 


1] preparing their SEC filings through the AD platform? 


12 A. Correct. That's how it's built. 


13 Q. Yeah. It was built to allow clients to do all the work, 


14 think that's what you told us, more or less, on direct? 


15 : Correct. 


16 ‘ And about how many clients, if you know, did DFI] 


ike) in 2018 through '20? 


18 : Yeah, I wouldn't know specific numbers on the service 


19 you know, I'd be guessing. 


09:59 20 : Well, you knew that clients were located worldwide, right? 


21 F Correct. 


22 ; A great many clients? 


23 : It's hard to specifically say what that means, but back in 


24 it was early in the software, so I wouldn't have a 


£ 


25 specific number. 
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i : More than 100, would you say? 


2 ‘ I would say approximately, yes. 


3 ‘ More than 500? 


4 ‘ During that time, I don't know if we had 500 clients on. 


5 : Okay. Each client, they weren't limited to just one 


6 account on the AD system, were they? 


7 2 Each account -- each client? 


8 : Some clients had more than one account? 


9 : Correct. 


10:00 10 : At some point were there have you heard within the 


ala company that there were 6,000 client accounts total back then? 


12 A. No, that wouldn't be information that would come to me. 


13 Q. Okay. And do you know if suspicious activity was 


14 identified on different IP addresses in DFIN's system between 


15 2018 and 2020? Do you know anything about that? 


16 A. No, sir. 


LS) ©. Okay. Do you know if in 2018 through 2020, DFIN was 


18 working on increased cyber hygiene as part of a previous 


19 corporate strategy? Did you know that? 


10:01 20 A. In general, it's been a focus for us as a company and all 
21 companies. 
22 : Well, you don't know about all companies personally -- 
23 : Correct. 


24 : -—- that's just your supposition, yeah? 


25 . Correct. 
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i . KOSTO: Objection. 


2 . FERNICH: Okay. Nothing further. Thank you very 


4 WITNESS: All right. Thank you. 


5 COURT: Anything else? 


6 REDIRECT EXAM 


7 BY MR. KOSTO: 


8 Q. Mr. Garabo, when the clients were doing the work with the 


9 software on their own, where was the information stored? 


10:01 10 A. In our software. 


11 Q. And the term "earnings filings," does that mean anything 
12 to you? 
13 : Sure. Yes. 


14 ‘ What are earnings filings? 


15 . Companies will -—- 


16 MR. FERNICH: Objection, beyond the scope. 


17 THE COURT: Overruled. 


18 Do you know? 


19 THE WITNESS: Earning filings are, you know, exactly 


10:02 20 what they are. They're reported earnings that the company has 


21 closed on. 
22 Q. How do they relate to Forms 10-K and 10-Q? 


23 MR. FERNICH: Objection, beyond the scope. 


24 THE COURT: Overruled. 


25 ‘ Those financials are in the 10-K and the quarterly 


10:03 10 
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MR. KOSTO: Nothing further, Your Honor. 


THE COURT: Anything else? 


MR. FERNICH: No, ma'am. 


THE COURT: Thank you. Thank you for coming. 

Next witness. 

MR. KOSTO: The United States calls Hyeyoung Han. 

Your Honor, she was in the café. She's coming right 
upstairs. 

THE COURT: So why don't we stand and stretch, then. 


Good morning. 


THE CLERK: Could you raise your right hand. 


HYEYOUNG HAN, sworn 


THE CLERK: You can be seated. Could you please state 


spell your last name. 


THE ESS: Han, H-a-n. 


THE K: Thank you. 


DIRECT EXAM 


BY MR. KOSTO: 


10:05 20 


21 


22 


23 


24 


25 


Q. What is your first name, Ms. Han? And go ahead and spell 


it too. 


A. Hyeyoung, H-y-e-y-o-u-n-g. 


Q. Good morning. 


A. Good morning. 


MR. KOSTO: May I proceed, Your Honor? 
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1 THE COURT: Yes. 


2 : What city do you work in, Ms. Han? 


3 F Now, I'm working in Ulsan, South Korea. 
4 ‘ And what company do you work for? 


5 ‘ DFIN Solutions. 


6 . What is DFIN? 


i : Like, you mean my company? 


8 : Yes. What does DFIN do? 


9 . Yes. We are helping the public companies filing their 


10:05 10 financial statements to SEC. 


11 Q. And how often does that take place? 
12 A. There are quarterly filings and annual filings. So every 


13 three months we have filings. 


14 Q. Are there filings that take place during other times of 


15 the year as well? 


16 A. Yes. There are 8-Ks, like when they have some kind of, 


17 like, event to report to the public, they have 8-Ks. 


18 : Can that include earnings and financial information? 


19 : No, it only have a cover page and the event. 
10:06 20 : Okay. Have you always worked in -—- how long have you been 


21 DFIN? 


22 : I've been working in DFIN 13 years. 


23 ; Have you always worked in Korea for DFIN? 


24 ‘ No. I worked in the Rockville, Maryland until 2013, and I 


25 moved back to Korea in 2013. 
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1 ©. Can you tell the jury what ActiveDisclosure is? 


2 A. ActiveDisclosure is our -—- so our company's software 
3 helping clients to —- like, public companies to file their 


4 financial statements in electronic form. 


5 QO. And what role do you have at DFIN for ActiveDisclosure? 


6 A. I was like -- I was a data analyst. We are helping 


- clients, like, preparing the electronic filing form. We are -—-— 


8 it's called tagging or mapping. So the SEC provided accounting 


9 concepts of taxonomy and we are -—- 


10:07 10 THE COURT: I'm having a little trouble following you, 


11 t slow down a little bit. What did you do as a data 


12 t? 


13 THE WITNESS: Okay. So as a data analyst, we are 


14 helping clients preparing their electronic form of filings. 


15 ‘ I'm sorry to interrupt. Were you part of the content of 


16 filings or the technical aspects of the filings? 


Ay A. Contents. I have an accounting major, and I am a, like, 


18 licensed CPA. So I'm -— I tag -—- like, I find like concepts -- 


19 THE COURT: You're a tech? 


10:08 20 THE WITNESS: No, it's not tech. Tag. 


21 THE COURT: A tag? 


22 THE WITNESS: Yes. 


23 THE COURT: All right. 


24 ; You apply electronic tags, t-a-g -- 


25 . Yes. 
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al. : —- to documents? 


3 Q. And do you work with a system called -—- or a language 


4 called XBRL? 


6 : Is that part of your job to convert documents into XBRL 
7 format? 
8 A. Yes. So -- 
9 ‘ And that's —- 
10:08 10 : Yeah. 


11 . Go ahead. 


12 : The SEC provides accounting tags in taxonomy, and we 
13 find —- 


14 THE COURT: What taxonomy? 


15 THE WITNESS: It made of all the tags SEC created. 


16 find, like, a tag f each number. So we find the -—- 


LS] so tag represents number. 


18 MR. KOSTO: So i Lf I could help, Your Honor. 


19 : If there is an earnings portion of the reports, does that 


10:09 20 have a tag? 


21 A. . So, like, every numbers in the financial statements 


22 can be tagged, like revenue, expense, income tax, or like that. 


23 Q. And does each one of those components of the report have a 


24 different tag? 


25 A. Yes. 
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i Q. And your job is to find the right tag and apply it to the 


2 right part of the report? 

3 A. 

4 O. And when you say "taxonomy," is that a menu of tags that 
5 you can choose from? 

6 A. Yes. 


7 Q. Okay. What's the time difference between here in Boston 


8 and Ulsan, South Korea where you work? 


9 A. Usually -—- during the Daylight Savings Time, it's 13 hours 


10:10 10 ifference. Without it, it's 14 hours difference. 


‘lal : Do you typically travel for work? 


13 Q. When was the last time before this week that you were in 


14 the United States? 


15 A. 2016. 


16 Q. Directing your attention to the period 2018, 2019, and 


17 prior to COVID in 2020, March 2020, where did you typically 


18 work? 


19 A. I stayed at home most of the time. Like, I need two 


10:10 20 monitors for my work, so I always work from home. 


21 Q. Would you go to an Internet café or a Starbucks to do your 


22 work with ActiveDisclosure? 


23 A. No. 


24 ‘ Why not? 


25 . I said earlier, I need two monitors to compare and 


10:11 10 


10:12 20 


21 


22 


23 


24 


25 
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So it's really hard to work with just a laptop. 


Q. Can you tell the jury -—- let me ask you this: Did your 


work hours stay the same all the way through the year? 


A. No. Like, we because the filings happens end of 


quarter and we have a peak time and non-peak time. 


Q. Are peak times right 


after the end of the -- in the 


lead-up to the filing deadline? 


A. Yes. After like, 


when the quarter ends, like, 


file their statements in 45 


companies have to file in 


SOs s. 


Os And so during peak times, what was your work shift? 


During peak time, I worked 11:00 a.m. to 7:00 a.m. Eastern 


Q. And what time was that, depending on the time of the year, 


approximately, in Korea? 


That means, like, 12:00 p.m. to 8:00 p.m. in Korea. 


And how about non-peak times? 


Non-peak, I work, like, my morning shift. So it is, like, 


p.m. to, like, 3:00 a.m. Eastern Time. 


And local time for you, when it's non-peak? 


It's 8:00 p.m. to —- 


8:00 a.m. to 4:00 p.m. 


When you're not working on your shift, those eight —hour 


periods that you're descri 


ibing, did you ever log into 


ActiveDisclosure to look at documents? 


A. No. 


10:12 10 


10:13 20 


21 


22 


23 


24 


25 
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Who handles the work when you're not working? 


My teams, like, we work —- because I'm outside of U.S., 


was working -—- like, my morning shift becomes night shift here, 


SO 


cover the night shift. And there are other two shifts in 


morning and, like, evening times that they did the job. 


Q. 


your 


How frequently do you download press releases as part of 


work in XBRL? 


No, we don't download press release. 


Is there coding to do in press releases? 


No. 


Is there coding to do in exhibits? 
No. 


Do you work directly with clients? 


No. 


When you logged into ActiveDisclosure back then, how did 


you get access? 


A. 


When a client assigns, like, a task, we get an automatic 


email and it has a link in it, so I just click and the site 


pops 


up. 


Do you need a username and password in addition to the 


When you log in from home, do you use the company's VPN? 


Do you ever use private VPNs to log into ActiveDisclosure? 
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al : No. 


2 ‘ Have you ever heard of AirVPN? 
i : No. 


4 ‘ Do you use AirVPN to log into ActiveDisclosure? 


3 ‘ No. 


6 : Have you ever used a company called Quintex Alliance 


7 Consulting to log into ActiveDisclosure? 
8 A. No. 


9 Q. What's the username that you use to log into 


10:13 10 ActiveDisclosure? Don't tell us your password, but just the 


Ad. username. 


12 ; It's my employee ID, so it's rrl146363. 


13 : often -—- do you have access with your username and 


14 to all of the DFIN clients in ActiveDisclosure? 


16 : you mentioned —-- or you testified that you didn't 


LS download press releases. When did you download documents as 


18 part of your job? 


19 A. So we get multiple, like, threads of documents, and we 
10:14 20 need to compare with the current version and the previous 


21 version, so only for comparison we download the documents. 


22 Q. What kind of documents did you download to compare? 


23 A. I think it's, like -- it's called 10-K or 10-0, like, 


24 there's only one type of document on the, like, main page of 


25 the activity's quarter. So I download it there. 
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i : And would you only do those tasks if you got an email with 


2 lank. == 


4 ‘ for a particular client? 


6 : Did you make a habit of logging into clients when you 


7 t have an email assigning you something? 


9 : Did you ever log into ActiveDisclosure and look at 


10:15 10 client after another after another after another over t 


£ 


da. course of an hour? 


12 A. No. 


£ 


13 Q. Are you 


amiliar with DFIN's policies and practices 


14 regarding confidentiality? 


15 A. 


16 Q. What are they? 


17 A. Since we are seeing, like, companies' information before 


18 they release to the public, so we are not allowed to share it 


19 or disclose to anybody else. 


10:15 20 Q. Are you allowed to make investing decisions based on that 


21 information? 


22 A. No, we are not allowed. 


23 ; Why not? 


24 ; It's, like, kind of inside information. 


25 : Do you know an employee at DFIN named Julie Soma? 
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al : I heard about her name, but not really, not in person. 
2 ‘ Have you ever worked in the same place? 

S ; No. 

4 ‘ Have you ever shared a computer with her? 


3 ‘ No. 


6 ; Have you, to your knowledge, ever shared an IP address 
a her? 
8 : No. 


9 MR. KOSTO: No further questions. 


10:16 10 ROSS-EXAMINATION 


1] BY MR. FERNICH: 


12 Q. Good morning, Ms. Han. 


13 A. Good morning. 


14 Q. I'm Marc. I'm one of the defense lawyers in this case. 


iS) We don't know each other, do we? 
16 : No. 
17 : We haven't met or spoken, correct? 


18 : No. 


19 : You have spoken with the government lawyers in this case; 
10:17 20 is that right? 

21 : Yes. 

22 : And you spoke with them on January 13th, a couple weeks 


23 Does that sound right? 


24 < I've talked to them, but I don't remember the date. 


25 : Okay. Have you spoken to them in the last week? 
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1 A. I'm not sure about the date. 

2 Q. Okay. Well, do you think you spoke to them after New 

3 Year's? 

4 A. Yes. 

5 Q. Okay. And when you spoke to them, the lawyers asked you 

6 some questions, the government lawyers, yes? 

7 A. 

8 Q. And you gave them some answers? 

9 A. 
10:17 10 Ox And the purpose of that exchange was to prepare for your 
11 testimony here today? 


12 A. Yes. 


13 Q. And you told us, ma'am, that you've been working for 
14 for about 13 years; is that correct? 


15 A. Yes. 


16 : And, of course, you are still working there now, right? 
Ay . Yes. 


18 : Let me follow Mr. Kosto's lead and direct your attention 


19 to around 2018 through '20. Okay? 


10:18 20 : Okay. 


21 ‘ You and DFIN were handling private client financial 


22 information back then? 


23 A. 


24 Q. And as you told us, the information was considered 


25 fidential, correct? 
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al A. 
2 Q. And there was a policy against disclosing that information 
3 to outsiders, right? 


4 A. 


5 O. And do I have this right, you work remotely, not ina 


6 physical office? 


7 A. During 2018 to '20, like, yes. 


8 Q. Sure. Sure. In fact, you were actually working from home 


9 during that time? 


10:18 10 : Yes. 


11 : Do you live alone, or do you live with anybody else? 


12 : IT have -—- like, I'm living with my husband and kids. 


13 : Okay. So there's how many other people in the house? 
14 ; Three. 


15 : Okay. And you told us that through the ActiveDiscl 


16 network, you had, at least potentially, access to all cl 


17 in the network; is that correct? 


18 A. 


19 Ox And all you had to do to access the ActiveDisclosure 


10:19 20 system back then was follow a link that you were given, yes? 


21 F Yes. 


22 . And enter a password and a user ID; is that about right? 
23 : Yes. 
24 : Okay. And nothing else you had to do, no special security 


25 code to enter? 


10:20 10 


10:20 20 


21 


22 


23 


24 


25 
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A. Back then, yes, only ID and password. 


0. Okay. And back then -- I'm still talking about 2018 


through '20 -- now and then, every once in a while, you even 


used WiFi to access the system occasionally? 


on my VPN. 


I used, like, home WiFi, but it's secured, and ] 


Okay. Did you ever use any WiFi networks outside the 


No. 


Okay. Fair enough. 


At one point, you recall -—- well, strike that. 


Do you have any mobile devices like 
smartphone? 

A. 

Q. And the smartphone, naturally, has 
correct? 


A. 


a cell phone, a 


Internet access, 


Q. And at one point, DHL —- do you know DHL is a -- well, 


what's DHL, do you know? 


No. 


Do you know that DHL is a -- 
The delivery system? 
Yeah. 


Yeah. 


It's a large international shipping 


company; is that 
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3 : And at one point, DHL lost a laptop of yours in transit 


4 South Korea to around the Washington, D.C. area? 


3 ‘ I don't remember. 


6 : You don't recall -- go ahead. 


7 P When was it? 


8 : Well, I'm sort of trying to ask you that. 


9 Do you recall that happening? 


10:21 10 : No. 


11 Ox You don't recall having lost a laptop, or not you having 


12 lost a laptop, but it being lost in transit? 


13 MR. KOSTO: Objection, Your Honor. 


14 THE COURT: Overruled. 


15 Do you remember sending your laptop back to the United 
16 States? 


17 THE WITNESS: I don't remember. 


18 ‘ Okay. Fair enough. We won't go any further with that. 


£ 


19 As part of your job, when you were on assignment, you'd 


10:21 20 documents to help out with coding. Do I have that right? 
21 : Yes. 
22 : And sometimes you would download those documents? 


23 : Yes. 


24 : And you also worked on financial statements; is that 


25 COrrect? 


10:22 10 


10:22 20 


21 


22 


23 


24 


25 
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Q. And as part of that process, you would compare current 


versus draft versions; am I right? 
Yes. 
And to do that, you sometimes downloaded something called 


c co 


master file or master files? 


Yes, master clean files. 


Master? 


Clean. 


Clean? 


So our ActiveDisclosure is based on the Word documents, so 


it has tagging in it. So for the compare purpose, we need a 


clean file. 


Q. Yeah. And just when you mentioned taxonomy on direct, we 


weren't talking about birds and stuffing animals, stuff like 


that? Do you know what taxonomy is? 
Me? 
Yeah. 
Yes. 
There's another use for the word "taxonomy." 


Oh, okay. I didn't know that. 


MR. FRANK: I believe that's "taxidermy." 


Q. Sometimes drafts -- these drafts that you downloaded or 


looked at, sometimes the drafts would change before final 


versions were filed with the Sl 
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1 A. Like, in the initial period, like, they change a lot, but 


2 at the end, it's almost settled, only a few changes. 


3 Q. But prior to filing, they could change a lot in a short 
4 period of time? 
5 A. 


6 Q. And the information in those documents, in other words, 


7 might change some before it was released to the SEC; is that 


8 correct? 
9 A. Yes. 


10:23 10 Q. Now, Ms. Han, as you sit here today, you personally have 


11 no idea who, if anyone, might have used your log-in credentials 


12 without permission to access DFIN's computer system; is that 


13) right? 


14 A. No. 


15 . FERNICH: Okay. Nothing further. Thank you. 


16 COURT: Anything? 


17 . KOSTO: t one question, Your Honor. 


18 COURT: right there. 


19 (DIRECT EXAMINAT 


10:23 20 BY MR. KOSTO: 


21 Ox Ms. Han, did you ever download Exhibits 99.1, 99.2, or 


22 99.3 for XBRL coding as part of your job? 


23 A. No. 


24 MR. KOSTO: No further questions, Your Honor. 


25 THE COURT: Thank you. Have a nice trip back. 
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i Next witness. 
2 MR. FRANK: Thank you, Your Honor. The government 


3 calls Julie Soma. 


4 THE CLERK: You can take the stand and just remain 
5 standing and raise your right hand. 


6 JULIE SOMA, sworn 


7 THE CLERK: You can be seated. And please state and 


8 spell your last name. 


9 THE WITNESS: Hi, I'm Julie Soma. J-u-l-i-e S-o-m-a. 


10:25 10 THE CLERK: Thank you. 


Li MR. FRANK: I've never said this before, Ms. Soma, but 


12 that might be a little too loud. If you could just move the 


13 mic just a little further away. 


14 THE WITNESS: Test, test. 


15 MR. FRANK: Perfect. 


16 THE WITNESS: Okay. Thank you. 


17 MR. FRANK: Thank you so much. 


18 DIRECT EXAMINATION 


19 BY MR. FRANK: 


10:25 20 : Welcome. Where do you live, Ms. Soma? 
21 : Seattle, Washington. 
22 : And are you currently employed? 
23 : Yes. 


24 ‘ Where do you work? 


25 . At Donnelley Financial Solutions. 
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£ 


al : Is that sometimes referred to as | 


Z : Yes. It's a mouthful, so DFIN. 


3 ‘ And in a sentence, what does DFIN do? 

4 ‘ We are a document management and printer to companies that 
5 are public or private. So we manage their documents. 

6 : How long have you worked there? 


i : Coming up on 27 years this spring. 


8 ‘ And could you tell us, how far did you go in school? 


9 . Undergraduate college. 
10:26 10 : And what did you study? 


11 : Political science and speech communications, liberal arts. 


12 ‘ What's your title at DFIN? 


13 : My title is implementation program manager or architect. 


14 . Again, in a sentence or two, what does that involve? 


15 F Well, it involves onboarding clients to our different 


16 latforms, also working on process documentation. I do a lot 


17 of PowerPoint and Visio Maps and testing of our products. 


18 . Do you, from time to time, work with ActiveDisclosure? 


19 Yes, I do. 


10:26 20 : What do you do with respect to ActiveDisclosure? 


21 E Implementation architect, historically, for 


22 ActiveDisclosure, onboarding and training clients to use it, 


23 helping them troubleshoot their documents from a style and how 


24 they can use the product to best gain efficiencies with their 


25 process. Also helping my colleagues help their clients. Soa 
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lot of internal troubleshooting, research, or diagnostics, I 


10:27 10 


would say. 


I want to direct your attention to the time period 2018 to 


VeSis 


Do you have that time period in mind? 
Yes, we can. 


Where were you working between 2018 and 2020? 


I was working remotely from home, starting in January of 


2018. In October of 2018, I moved to southeastern Washington, 


to a little town called Richland, Washington. So I was 


£ 


primarily working from home during those two timelines. 


10:28 20 


21 


22 


23 


24 


25 


Q. And did you, from time to time, do any work travel? 


A. Yes, I did. I did -—- my most prominent reason for 


business travel was to travel to our Phoenix, Arizona office 


for sometimes a week to two weeks at a time for training. 


Other times, not on business trips, I would frequently go stay 
with my parents and -- 


Q. And that was also in the Phoenix area? 


A. It was, later in 2019. My parents were originally in Lake 


Chelan, Washington, and then my mom relocated there at the end 


of August 2019 for her retirement, part two. 


I want to ask you a few questions about your work habits. 
Okay. 


You mentioned that you worked from home. Did you 
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1 typically work from home or in the office? 


2 ‘ I typically worked from home, when I was working from 


4 ‘ And other than that, you would be in the office? 


= 


5 : Correct. And it would be infrequent for me to go to the 


6 fice. It was once or twice a year, maybe. 


. Q. And when you were working from home, what hours did you 


8 typically work? 


9 A. Typically, since I'm West Coast -—- Seattle's three hours 


10:29 10 behind East Coast -—- typically, I'd work —- definitely between 


11 7:00 and 2:30 and 3:00, and then there's other days where 


12 may, you know, start a little earlier or a little later, just 


13 depending on projects and the needs of the day or the week. 


14 . Did you ever work overnights? 


16 Q. What are you typically doing between the hours of about 


17 midnight and 7:00 a.m., when you start work? 


18 A. Well, beauty rest, hopefully, but sometimes Netflix binge 


19 watching. 


10:29 20 Q. I won't ask you which programs. 


21 When you log into DFIN's computer network from home, how 


22 do you do it? 


23 A. Well, it requires Internet access, so I always need my 


24 WiFi. So I have my Internet, and then Donnelley provisions a 


25 proprietary VPN, which is a private network or connection to 
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il Donnelley's stuff. 


2 Q. Do you use any -- again, during this time period of 


3 to 2020, did you use any sort of credentials to log in? 


4 A. Yes. My company provides me with my login. So I have to 


5 use that to get in. 
6 Q. So -—- so you would use a username and a password? 
7 A. That is correct. 


8 Q. Okay. And again, during that 2018 to 2020 time period, 


9 did you typically log in from places like cafés or libraries? 


10:30 10 A. No, not very -- no, never a library. Very rarely, a café. 


1 When traveling on business, spot-check email, but I would be on 
12 my phone usually. 
13 Q. So you wouldn't be logging into the ActiveDisclosure 


14 database from a café? 


16 : Do you ever use, when you logged in, a third-party VPN to 
ay log in? Not the Donnelley VPN, but a third-party VPN? 


18 : No. 


19 : Have you ever heard of a company called AirVPN? 
10:31 20 : No. 


21 : Did you ever use AirVPN? 


22 : No. 


23 : When you were working from your mother's home after she 


24 her second phase of her retirement, in the Phoenix area, how 


25 did you log in? 
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3=8'1. 


1 : Using WiFi and then my Donnelley credentials. 


2 ‘ So similarly, you'd use the Donnelley VPN? 
i : Correct. 


4 ‘ Not a third-party VPN? 


3 ‘ Correct. 


6 : You mentioned using your username and password. I'm not 


7 going to ask you for your password, but I am going to ask you 
8 if you could tell us what your username was on the system? 
9 : rr, and then my employee number, 52260. 

10:31 10 ; rr52260? 


Ved. ‘ Yes. 


12 : During this time period, 2018 to 2020, were you 


13 responsible for specific clients? 


14 A. Barly in the 2018 -- I kind of phased out my clients, up 


15 like, two total, but at the first part of 2018, yes. 
16 : How many at that time? 


17 : Probably up to six. 


18 ‘ Do you recall which ones they were? 


19 F Well, a private company that nobody would know the name 
10:32 20 of, Weyerhaeuser, Picar, a paper company in Spokane, Clearwater 
21 and Potlatch. 


22 O.. Okay. As part of your job, would you have broad access to 


23 the ActiveDisclosure platform? 


24 A. Broad access? 


25 Q. Did you have general access to ActiveDisclosure? 
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1 A. 


2 Q. What types of documents would you typically access in 


3 ActiveDisclosure? 


4 A. Well, it depends on what clients needed or, internally, 
5 what the matter was. The document could be any type. The 
6 predominant documents on our system are proxy statements, 


7 annual reports, collaboration documents, and Form 8-Ks. 


8 Q. You mentioned annual reports. Are you referring to 
9 Form 10-Ks? 

10:33 10 ‘ Yes. There's 10-Ks, 20-Fs and 40-Fs. 

‘lal ; Okay. And you mentioned 8-Ks? 

12 : Correct. 


13 : Are you familiar with an attachment to 8-Ks called a 99 or 


14 sl. 6% 2a 99.22 


LS : Yes. Those are SEC provision naming conventions for what 


16 are called exhibits that go with an 8-K document. 


17 Q. And what are those -- what do those particular exhibits 


18 deal with? 


19 A. Typically Exhibit 99.1 or 2 is a press release that 


10:33 20 contains a narrative written description from the company of an 
21 announcement of the company. And within that, there could also 


22 be tabular disclosures. So companies will typically do what's 


23 called an 8-K earnings release once a quarter to announce and 


24 notify the public of their quarterly earnings, how they did, 


25 how they performed. 
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1 Q. So they'd file a quarterly earnings press release with an 


2 8-K and an Exhibit 99? 
3 : Correct. 


4 ‘ And then they would also file a 10-Q? 


5 ‘ That is correct. 


6 ‘ And you would, from time to time, access those types of 
7 documents? 
8 A. That is correct. 


9 Q. For what reasons might you do that? 


10:34 10 A. If a company needed help with the style of their document 


‘lal or how to manage it, you know, with a technical system there 


12 could be some nuances, and users sometimes need help 


13 troubleshooting so they can make their edits. Sometimes they 
14 would need help running compares. Or if they had a particular 


15 question about a version of the document, you would have to go 


16 in and look at the version and it would -- a lot of it was 


17 diagnostics too. 


18 Q. How often would you download documents like an 


19 10-Q? 


10:34 20 A. Infrequently. It would be on a demand basis based on 


21 circumstances, if a client needed help or, internally, if 


22 somebody needed a compare, or if the document -- we couldn't 


23 physically technically finish their document on that platform. 


24 It would be kind of rare. But if we had to transition it over 


25 to another platform, it would have to leave the system to go 
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a. there. 


2 : But that was infrequent? 


3 ; It was infrequent, yes. 


4 QO. How often, if at all, would you go from document to 
5 document or client to client to download documents? 


6 A. Never. Infrequently, if anything. Never. 


£ 


7 Q. Would you ever go from client to client and alphabetically 


8 access those types of documents? 


9 A. No. 


10:35 10 O% And again, what kinds of information is in those documents 


11 that we just discussed? 


12 A. Well, the different there's the annual reports. Those 


£ 


iscal 


13 taken annual year-to-date performance for the prior 


14 year, and then the quarterly reports or the 8-K earnings would 


15 contain a financial snapshot of that three-month duration and 


16 would give information about how the company fared, if they 


17 exceeded or did not exceed the expectations. So if they did 
18 well or didn't do very well. 


19 Q. What is your understanding about whether that type of 


10:36 20 information is publicly available at the time that it's in 


21 DFIN system? 


22 A. It is not publicly available. It's private until the 


23 company does two things: They file a news wire with the 


24 communication agencies, like the news wires, and they file it 


25 via the SEC system. So it becomes public at those two events. 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 85 of 182 


i : And what's the name of that SEC system where it's filed? 


2 : It is called EDGAR, and it stands for electronic data 


3 gathering and retrieval, analysis, EDGAR. 


4 OQ. And that's an online filing system? 


5 A. It is an online system. Companies will file the documents 


6 electronically with the SEC on the EDGAR system, and it's all 


7 privately disseminated. And then the SEC will take the data 


8 and publish it on their websit 


9 Q. Are you familiar with DFIN's policies and practices with 


10:37 10 respect to that kind of information when it's in the DFIN 


11 system? 


12 A. It is confidential and sacred. 
13 O% And just backing up for one moment. The EDGAR system, to 


14 your knowledge, does it track the date and time of the filing? 


15 A. Yes, it does, because when it files, there's a date and 


16 time stamp associated with when the SEC receives it. And then 


17 there's a public dissemination date and time stamp as well, 


18 because sometimes something can get filed and it gets published 


19 the next morning at 6:00 a.m. Eastern. 


10:37 20 Q. And you mentioned that when the information is within the 


21 DFIN system I believe the words you used were "confidential 
22 and sacred"? 

23 A. 

24 Q. What's your understanding of why it's confidential and 


25 sacred? 
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1. A. Because it's not supposed to be public until the company 


2 intends to finalize the document and make it go public. 


3 Q. Under DFIN's policies, are you permitted to use that 


4 information to make trading decisions? 
5 : No. 


6 : What's your understanding of why not? 


7 : Because it could influence your decision to purchase or 


8 stocks or things that you own. 


9 : Why is that? 


10:38 10 ‘ Because how a company has fared the prior quarter, if they 


11 did well, then if you previously owned the stock, you could 


12 make money. And then if you had earnings that were not per the 


13 expectations and didn't meet performance that were set by the 


14 management team, then you wouldn't want to own that stock 
15 because you could lose money. 
16 MR. FRANK: Thank you, Ms. Soma. No further 


17 questions. 


18 THE WITNESS: Okay. 


19 CROSS-EXAM 


10:39 20 BY MR. NEMTSEV: 


21 OO. Good morning, Ms. Soma. My name is Max Nemtsev. 


22 attorney for Mr. Klyushin. 


23 A. Good morning. 


24 Q. Good morning. We've never met before or spoken, correct? 


25 A. No. 
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ac On And you've spoken to Mr. Kosto, Mr. Frank, and other 


2 government agents prior to this? 


3 ; Yes. I met them. 
4 ‘ When was the last time that you met them? 


5 : On Monday. 


6 : And before that, you met them on January 12th as well; is 
- correct? 


8 : January -—- no. 


9 : Did you speak to them over the phone? 


10:39 10 : On the phone. It might have been that date, but yes, one 
‘lal other time this month. 

12 Q. And that meeting, the one on Monday and the prior phone 
13 call on January 12th, that was in order to discuss your 

14 testimony today, correct? 

15 A. 

16 Q. They gave you questions, you gave them answers to prepare 
ay you for today's testimony, correct? 


18 A. 


19 Q. You and I, we've never rehearsed or scripted or prepared, 
10:40 20 correct? 
21 A. No. 
22 MR. FRANK: Objection to "rehearsed" or "scripted," 
23 Your Honor. 


24 THE COURT: Overruled. 


25 : You and I have never rehearsed, scripted, or prepared, 


10:40 10 


10:41 20 


21 


22 


23 


24 


25 
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correct? 
A. No. 


Thank you. 


And you've been with DFIN, or 


Solutions, for 27 years, correct? 


A. Yes. 


Donnelley Financial 


Q. Through every single version of ActiveDisclosure that 


there was, essentially, correct? 


Yes. 


And from 2018 to 2020, you primarily worked from home; is 


right? 


Yes. 


And at one point, I think you mentioned that you worked in 


Phoenix, Arizona? 


name sounds familiar, 


but. 


you ever meet a Mr. Jason Lewis while you worked 


many employees are there in Phoenix, Arizona, to your 


knowledge? 


A. In Phoenix, I couldn't venture to guess, but no more than 


100 to 200 in the Phoenix area, 


potentially. 


Q. And how many employees are there at DFIN in general? 


A. I couldn't say for sure, 


because we spun o From another 


company a few years ago, like five years ago. I don't know how 


10:42 10 


10:42 20 


21 


22 


23 


24 


25 
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many total employees there are. 


Fair enough to say it's above a thousand employees 


Potentially, but I can't say for sure. 


Public companies hire DFIN and use their ActiveDis 


4 


closure 


system in order to file documents on this system called 
correct? 


A. That is correct. 


Q. I think you said that these documents are sacr 


you don't mean in the sense that they're gospel or anyt 


A. No, no, I didn't mean that. I just meant they're 


and the only people that should have access are the com 


is the company and who is supporting them. 


Q. And the reason why they should remain private is b 


like you explained yourself, if you, for example, see a 
estimate of earnings and you have this document in your 


and the results are better, the price of the stock woul 


go up; if they're worse, the price of the stock would 1 
down, correct? 


A. That is correct. 


Q. It wouldn't be a difficult analysis to perform, if 


have the estimate -—- 


MR. FRANK: Objection as to how difficult it w 


THE COURT: Well, do you know? 


THE WITNESS: Pardon? 


It wouldn't be very difficult for you, let's say, 


EDGAR, 


ed, but 
hing -- 
private 


pany ~~ 


ecause, 


n 


hand 


d likely 


ikely go 


you 


ould be. 


to look 
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al at an estimate and see if the results are better than the 


2 estimate or worse than the estimate, and somehow confidentially 


3 predict whether the price would go up or go down, correct? 


4 A. No. I would disagree, because the content is very 


5 accounting-like, and I'm not an accountant. I'm more 


6 interested in the style of the document and the page breaks 


7 than I am the content, to be quite frank. 


8 Q. So you focused your assistance to DFIN's clients with 


9 formatting, coding; is that correct? 


10:43 10 A. Well, it's a lot of different things. It's the style of 


11 their document, how they upload it to the system to meet the 


12 E criteria. There's some technical specifications that go 


13 with that. A lot of questions about, like, do they have 


14 ile? What time do they have to file? What are their 


15 ines to file? How do they use the system? 


16 : And it requires you to have access to every single DFI 


LS) company, or DFIN contractor company, correct? 


18 A. When you have access, you have access to whatever clients 


19 are on there. 


10:43 20 Q. And how many clients does DFIN's ActiveDisclosure system 


21 serve? 


22 : I couldn't say for sure, but I think at one time it was 
23 a thousand. 
24 < Near a thousand. 


25 And all of those, to your knowledge, were publicly traded 
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i companies? 


2 A. No, a lot of them weren't public. We have a lot of 


3 private entities that use our software for their document 


4 management. They never have to file via EDGAR. 


5 Q. So they just hold documents with DFIN, but they don't 


6 necessarily file them with any public authorities; is that 
7 right? 


8 A. That's correct. 


9 Q. And while you were working and assisting DFIN's clients, 


10:44 10 were there times when the versions and the content within these 


11 documents would change from draft to final 


12 A. There's always -—- until it actually files with the SEC, 


13 it's never considered final. As to the extent of how many 


14 rounds of changes a company would make, it would depend on the 


15 lifespan that their document was on the system. Because 


16 sometimes a company would have something, and they would draf 


17 it for four months, potentially. 


18 Q. So potentially, a lot of changes with these documents 


19 the first time that they're uploaded to the time that they 


10:45 20 ultimately get filed with EDGAR? 


21 A. You know, usually with the roll forward, that's where most 


22 of the changes go. Once the company has dropped in numbers, I 
23 wouldn't say there's significant changes. They're usually just 
24 wordsmithing at that point or dropping in signatures, conformed 


25 signatures. And if they don't know the date they want to file 
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i with the SEC, they'll drop in the date. And sometimes if 


2 they're printing a document, they'll make more style changes 


3 than content. 
4 Q. Thank you. 


5 Taking you back to 2018-2020, what did you need to do in 


6 order to access your DFIN account? 


7 A. need to go online. You need to have Internet access, 


8 and then put in your credentials and your password. 


9 ©. that Internet access could come from anywhere? Could 


10:46 10 it be from a hotel, a WiFi hotspot, whatever it is, correct? 


11 A. That's true. Internet -- as long as you have Internet 


12 access. I primarily worked from home or the office. 


13 Q. And sometimes you worked from your mother's house or 
14 sometimes you worked from a hotel, correct? 


15 A. More infrequently, but yes. 


16 Q. There was no requirement for multifactor authentication 
17 any additional security measures, correct? 


18 A. We have MFA. As far as to what date and time Donnelley 


19 implemented that years ago, I cannot recall. 


10:46 20 ‘ Did you need to use a DFIN laptop in order to log in? 


21 F No, not to ActiveDisclosure. 


22 : Did DFIN provide you with a laptop? 


23 : Yes. 


24 : Am I correct that it's a Dell laptop? 


25 . That's correct. 
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1 : A Windows PC? 

2 ‘ Yes. 

3 ‘ And you typically use a Chrome browser to log in? 
4 ‘ That is correct. 


5 : Did you ever use any commercially available VPN providers? 


6 : No. Donnelley has a VPN, but there's no commercial VPNs. 


. : So you've used VPNs before? 


8 : Donnelley has a VPN, so I use that one. 


9 : Did you ever use a VPN for yourself when you go on 
10:47 10 vacation? 


11 A. No. Always WiFi. 


12 Q. Did you ever go on a trip to Mexico where you used a 


13 commercially available VPN to log in to the Internet? 


14 A. My sister had a —- Internet, but she had a U.S. VPN, but 


15 don't think I had to log into it. I still used just her 


16 Internet in Mexico. 


17 Q. So you used her Internet in Mexico, and you believe that 


18 she was using a VPN at the time, correct? 


19 A. Right. 
10:47 20 Q. And it essentially made it appear, while you were in 
21 Mexico, that you were in the U.S., correct? 


22 A. Correct. 


23 Q. And it helps with watching Netflix, for example —- 


24 know if you -—- strike that. 


25 You said you like watching Netflix, correct? 
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1. : I am a Netflix person, yes. 


2 ‘ Me too. I completely agree. 


3 When you go on vacation internationally, outside of the 


By 


4 -S., do you sometimes watch Netflix at night before going to 


6 A. Well, I don't think it matters where I . © just like 


7 Netflix. 


8 Q. But if you're in Mexico, for example, some content is 


9 blocked on Netflix, correct? 


10:48 10 A. Yes, I think so. 


‘lal Q. And sometimes you can use a VPN in order to unlock that 
12 content, correct? 
13 MR. FRANK: Objection to foundation, Your Honor. 


14 COURT: If you Know. 


15 WITNESS: What? 


16 COURT: Did you ever use a VPN in Mexico to use 
17 Netflix? 


18 THE WITNESS: Not Netflix. 


19 Q. Did you use it to access other news that may not be 
10:48 20 available or websites that may not be available because you're 


21 in Mexico? 


22 A. No, I don't think so. 


23 : And you said your sister purchased this commercial VPN? 


£ 


Tor one 


24 : I don't know how she got it. I was only there 


25 in November of 2017, which I believe is before this 


10:49 10 


10:50 20 


21 


22 


23 


24 


25 
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timeline. And I 


in Mexico at my sis 


away, so it 


ter's. 


was in December of 2020. 


also was there over Christmas and New Year's, 


It was the year after my mom passed 


And that was it. And I 


didn't really work a whole lot on vacation. We were doing 


other things on vacation. 


Q. I'm sorry to hear about your mother. 


NEMTSEV: 


WITNESS: 


FRANK: 


COURT: 


WITNESS: 


COURT: 


WITNESS: 


COURT: 


KOSTO: 


THE CLERK: 


your right hand. 


TH 


and spell your name for the record, 


E CLERK: 


THE 


THI 


MR. 


THI 


WITNESS: 


CLERK: 


KOSTO: 


COURT: 


Thank you. 


have nothing further. 


Okay. Thank you. 


Nothing further, 


Your Honor. Thank you. 


Thank you for coming. 


Thank you. Can I leave now? 


Yes. 
Okay. 


You can stay. 


United States calls Jason Lewis, Your 


Sir, can you remain standing and raise 


JASON LEWIS, sworn 


You can be seated. Could you please state 


your last name. 


Jason Lewis, J-a-s-o-n L-e-w-i-s. 


Thank you. 


May I proceed, Your Honor? 


Yes. 


10:51 10 


10:51 20 


21 


22 


23 


24 


25 
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Go 


Go 


Wh 


TRECT EXAM 


BY MR. KOSTO: 


od morning, Mr. Lewis. 


od morning. 


at city do you work in? 


Houston. 


We 


Wh 


lcome to Boston. 


at company do you work {i 


Donnelley Financial. 


Q. How long -- what do you call Donnelley Financial 


short? 


How long have you worked f 


DFI 


N. 


Nine years. 


So 


20 


And what do you do for DFI 


Wh 


2013, 2014? 


14, yes, sir. 


I'm a director of ActiveDi 


for 


N? 


sclosure. 


at does a director of ActiveDisclosure do? 


am in charge of increasing revenue for the platform and 


for ap 


Ye 


Ar 


Ye 


articular territory. 


s, sir. 
e you a sales guy? 


s, sir. 


It sounds like you sell the product? 
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1 Q. And when you say "the product," when you introduce that 


2 product to potential clients, how do you describe it? 


3 A. It's a cloud-based application for collaboration, 


4 multiple people to collaborate on a document together, 
5 to the SEC. 


6 ‘ A lot in there. Collaboration means? 


i : Multiple people working in a document together. 


8 : And then you said cloud-based? 


Be aah od ££ 


9 : Yes, sir. Soo fe) 


all -- off of Google Chrome or 


10:52 10 Internet Explorer, all web-based. 


11 Ox the software is used 


12 A. File documents with the SEC. 


13 Q. You mentioned, I think, you had a sales territory. What 


14 is it? 


15 : I cover South Texas and Louisiana. 


16 : What are the major cities in that group? 


17 : Houston, Baton Rouge, New Orleans, Shreveport. 


18 ‘ Are all of your sales -- do you call them targets or 


19 relationships? 


10:52 20 A. Relationships, targets. 


21 Q. Are all of your sales relationships in South Texas and 


22 Louisiana? 


23 A. Yes, sir. 


24 Q. And do you sell the product to any particular kind of 


25 company? 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 98 of 182 


1 A. Particularly oil and gas. Due to Houston nature, that's 


2 particularly what the companies are, oil and gas. 


3 Q. A lot of oil and gas down there? 


4 A. Yes, sir. 


5 Q. Do you typically travel outside of South Texas and 


6 Louisiana for work? 


7 A. No, sir. 


8 ‘ Would you occasionally go to a sales conference? 


9 , I would. 
10:53 10 ; Where would that be? 
11 : Possibly Florida or New York. 


12 ‘ And would that be -- how many times per year would you do 


13 that? 


14 A. Maybe once a year. 


15 . For a week or so? 


16 : Yes, sir. 


ay ‘ What's the time zone you work in most frequently? 


18 : Central. 


19 : And what percentage of your work do you do in the Houston 
10:53 20 area? 


21 A. Probably 90 percent. 


22 Q. I want to point you to the time before COVID. So March —-- 


23 whatever it was -- 13th, 2020. Where did you work physically 


24 before COVID? 


25 A. We had an of -—- on Shepherd in Houston, Texas, and 
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al then we moved that office to Kirby, which is another street in 


2 Houston. 


3 : Did you have the ability to work from home if you needed 


5 : TL -did. 


6 Q. And you certainly took sales calls at potential client 
7 sites? 
8 A. Yes, sir. 


9 Q. What were your typical hours in 2018, 2019, and 2020 for 


10:54 10 your sales work? 


ala , Typically, 9:00 to 5:00. 


12 : I u had an 8:30 client meeting, could you do that? 
13 : utely. 


14 HE COURT: Is that 9:00 to 5:00 Central Time? 


iS) HE WITNESS: Yes, ma'am. Yes, Your Honor. 


16 : when you weren't selling or meeting with potential 


17 ae id you access ActiveDisclosure at all? 


18 : sir. 


19 : Did you ever access ActiveDisclosure in the middle of 


10:55 20 night, Central Time? 


21 A. No; Sir. 


22 Q. In selling ActiveDisclosure as a product, did you have 


23 reason to access live client information? 


24 


25 ; I say live client information, what do you understand 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 100 of 182 


3-100 


a. that to be? 


2 A. A live document that could potentially be filed to the 


3 S] 


4 Q. How did you demonstrate how ActiveDisclosure worked 


5 without accessing the live material? 


6 A. We were in a demo production site that I've had demo 
7 documents that we've worked on for a number of years. 


8 Q. So what's in the demo production site? 


9 A. filed documents that don't pertain to really anything 


10:55 10 other than, you know, they show a workflow of how 


11 ActiveDisclosure would work. 


12 : Does it relate to any particular company? 


13 : No, sir. 
14 ; Fair to call it a dummy document or a sample? 


15 : Yes, sir. 


16 ‘ Does it say it's a sample somewhere on it? 


Ay : IT don't T couldn't answer that. I've never really read 


18 the entire document, to be honest with you. 


19 Q. Where did you keep where was that information kept, 


10:56 20 this sort of sample information? 


21 A. So I had a foldering system inside of ActiveDisclosure 


22 that all my information was stored in that location. 


23 O. And what kind of information did you keep inside of your 


24 folder to sell ActiveDisclosure? 


25 A. There would have been some 8-Ks, some 10-Qs, some 10-Ks, 
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i proxy, and then maybe just a blank document just for -- I did 
2 work with some private companies as well, and just to 

5 demonstrate that. 

4 Q. To be clear, live documents or demo documents? 


5 é All demo documents. 


6 Q. What was your username at DFIN? Don't tell us your 
. password. 

8 A. rr202440. 

9 Q. To access the demo area, did you need a password? 


10:56 LO A. Yes, sir, did. 


11 Ox If a client that you sold to needed help with 


12 ActiveDisclosure or the coding or the tagging or filing, is 


13 that something you would help with? 


14 A. No, sir. 


15 Q. Did you ever hop on to ActiveDisclosure to help someone 


16 you'd previously sold the product to? 


Ly A. I wouldn't have access to that. 


18 : When you did access the demo area, did you do so through 


19 IN's VPN? 


10:57 20 : Not all the time. 


21 : When would you not use the DFIN VPN? 


22 : £ was on a company website or if I was at home, or WiFi 


23 of -—- or if I was at my home WiFi. 


24 Q. If you were at a client's site, how would you access the 


25 Internet? 


10:58 10 
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I would 


get onto their WiFi. 


3-102 


And then you'd use your username and password to go where? 


Into ActiveDisclosure. 


The live area or the demo area? 


My demo 


environment. 


How frequently did you work remotely from a café or a 


Starbucks or 


A. 


Q. 


I would 


Did you 


VPN company? 


you 


you 


you 


No, sir. 


sir. 


No, sir. 


an Internet location? 


never access ActiveDisclosure from that. 


ever access ActiveDisclosure by way of 


use AirVPN? 


use a company called Dedicated.com? 


use OneProvider.com? 


a private 


What's your understanding about the information in the 


live side of ActiveDisclosure and whether it's available to the 


10:58 20 


21 


22 


23 


24 


25 


public? 


A. 


Q. 


To my knowledge, 


through the SEC? 


A. 


Q. 


Are you 


It's there before. 


it was not available to the public. 


Is it there before or after that information is announced 


familiar with DFIN's policies and practices around 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 103 of 182 
3-103 


£ 


client information? 


1 the confidentiality o 


Z A. Yes, sir. We all have non-disclosures. 


3 Q. Why is that? 


4 A. Because there is potentially information that could be 


5 shared that is pre-public information. 


6 Q. Under DFIN's policies, are you permitted to use that 


7 information to make trading decisions? 


8 : sir. 


9 : Did you have -- did you work with prefiling information in 


10:59 10 at DFIN? 


11 : Sir. 


12 : Did you work with active live client data in your job at 


14 : sir. 


LS ; Did you have occasion to download active live client data 


16 ur job at DFIN? 


17 : No, sir. 


18 : Why is that? 


19 : I was always on a production site. 


10:59 20 : Because you sold the product, right? 


21 , I sold the product. I wasn't into support. 
22 MR. KOSTO: Nothing further, Your Honor. 


23 THE COURT: Any questions? 


24 MR. FERNICH: Yeah. We're about a minute bet 


25 11:00. Do you want me to go forward now? 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 104 of 182 
3-104 


1 THE COURT: It depends how long you have. 


2 MR. FERNICH: Fifteen minutes. 


3 THE COURT: Okay. We'll take our break. Thank you. 


4 THE CLERK: All rise. 
5 (Jury exits.) 


6 THE COURT: Thank you. Can I see the attorneys just 


a for a second at sidebar to talk about the rest of the day. 
8 (SIDEBAR CONFERENCE AS FOLLOWS: 


9 MR. FRANK: Yes, Your Honor. 


11:01 10 THE COURT: So this morning we made a lot of progress. 
11 How many more witnesses do you have today? 


12 MR. FRANK: Well, this was the final scheduled 


13 witness. Our next witness is available. We're flying much 


14 faster than we -- 


LS THE COURT: Bring him in. Who's the next witness? 


16 MR. FRANK: Special Agent Hitchcock. He's here. 


17 There's a couple evidentiary issues we need to talk 


£ 


crew 


18 about. There's many undisputed exhibits, but there's a 


19 exhibits that are disputed that are part of his testimony. 


11:01 20 MR. NEMTSEV: We don't know what exhibits they're 


2] planning on putting in because they haven't provided a list. 


22 THE COURT: Sure, because it's going faster. Maybe 


23 you can do that over the break. I don't want to lose the time. 
24 At the rate you're going, when do you finish your case if it's 


25 9:00 to 1:00? 
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iL: MR. FRANK: Monday, Tuesday. 


2 THE COURT: So you're thinking we don't have to go 


Si full days next week? 


4 MR. FRANK: At this rate, absolutely not. 


5 MR. FERNICH: I think the next witnesses will probably 


6 be longer than these. These were rapid fire. 
7 THE COURT: Yes. 


8 MR. FRANK: Special Agent Hitchcock is definitely the 


9 longest witness, and the witness after that is a recording, so 


11:02 10 that will take some time. 


11 HE COURT: Can we do the recording instead of the 


13 MR. FRANK: He's not in town yet. 
14 THE COURT: Okay. 


15 MR. FRANK: There's no big evidentiary issues. 


16 There's a few, though. 


A} THE COURT: So maybe you all grab coffee and stuff and 


18 then realistically -- what I'm thinking -- 


19 MR. NEMTSEV: We could close next week. 


11:02 20 THE COURT: I don't know. I mean, that's really your 


21 call. It sounds like the government's going to finish in the 


22 6th, 7th time frame. What I'm mostly worried about is I have 


23 to get the charge ready. As you know, I've started working on 


24 it. And we need a charge conference. If you're going to rest 


25 and you're going to rest, that means it could potentially go 


11:03 10 


11:03 20 


21 


22 


23 


24 


25 
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the jury in the vicinit 


y of the 8t 


MR. NEMTSEV: 


reliability and all of 


THE COURT: 


figure out when I need 


just rests and then I'm 


that. 


understand 


get the charge ready. 


Probably the experts because of 


3-106 


h or 9th. 


But you probably have witnesses, right? 


that. I'm just trying to 


to be ready, because sometimes defens 


flatfooted in terms of, oh, I have to 


What you're thinking is we'll probably 


not need to go more than half days? 


MR. NEMTSEV: 


THE COURT: Ok 


conference midweek next 


No, definitely not more than half days. 


ay. So we' 


11 plan on a charge 


week. Does that make sense? 


Potentially, we could be going to the jury here or here. 


Indicating.) 
MR. FRANK: Or 
THE COURT: Ye 


MR. KOSTO: 


Agent Hitchcock has got 


THE COURT: 


last night. I skimmed 


My bad. But, anyway, 


MR. FRANK: Wa 


THE COURT: 


But the 803 (6) 


the invoice. 


here. 


ah. I'd li 


think we'll] 


ke to get -- 


know more when we know 


ten off the stand. 


did receive a motion in limine at 10:00 


it while 


think this 
s this Mr. 

don't know. 
is really 


The others 


I was listening to testimony. 


Kosto's witness or mine? 


They flew by so quickly. 


what I'm thinking about, the 


it's not so much a 609 
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£ 


il issue or an 807 issue. It's has it met the -- so if you could 


2 look at those rules and see -—- and I think almost all of them 


3 qualify, except one, which is the invoice. And the question 


4 is, it was kept in the ordinary course of business of one 


5 company, but do I allow it in for the truth if they didn't 


6 generate it? So it may be allowed in for a limited purpose. 


7 Just think of it that way. It's not so much a 609 issue, as 


8 I'm thinking of it, but maybe I'm wrong. 


9 MR. KOSTO: The mention of a conviction would raise a 
11:04 10 609 issue. That's our concern. 


11 THE COURT: Perhaps, but you have to establish 


12 reliability. So the questi is in order to get it in for the 


13 truth of the matter assert i.e., that there was an invoice 


14 for a certain amount. Let —- just think about it that way. 
15 Okay? 

16 MR. FRANK: There is a business record certification. 
17 The fact that it's a business record of StackPath has not been 


18 disputed. 


19 THE COURT: Right, but then the question is do I allow 


11:05 20 it in for the truth. I'm just focusing you on that issue. 


21 Okay? We all need a break, so I'm not prepared to argue it, 


22 but I did skim your motion in limine. 


23 I noticed something, that with the guys you said, "I 


24 Fernich,"™ but with the women, you said, "I'm Marc." 


25 MR. FERNICH: Because of their language. 


11:05 10 


11:06 20 


21 


22 


23 


24 


25 
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THE COURT: 


MR. 


NEMTSEV: 


THE COURT: 


MR. 


MR. 


FERNICH: 


FRANK: 


MR. 


MR. 


FERNICH: 


FRANK: 


see. 


He's fl 


Just sayi 


3-108 


irting. 


ng. 


did that on purpose. 


Just to close out that last point, Your 


Yeah. 


So may I] 


I may ask, because it's relevant for this witness 


assume they're not going 


able to inquire about the conviction? Because if they 


that's relevant. 


MR. 


to the tape, 


‘ERNICH: 


Let me ask you something. With 


you're planning on playing the whole Saxo 


FRANK: 


FERNI 


Not the whole recording. 


Yes. 


I mean, 


Do you need Zorek for that? 


we could stip to it. 


Do we need what? 


The witness. 


There's a witness. 


You don't want to put the tape on today? 


your case. 


MR. 


FRANK: 


We're not 


don't 


Right. 


t's an hour-and-44-minute tape. 


playing the whole tape. 


want to compromise the order of 


u don't want to put it in today? 
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1 THE COURT: So let me just let us all have a break. 


2 But this is not a 609 impeachment situation, because 


3 the witness is an agent, and it's an 803(6) issue. Is ita 


4 business record. And if so, can I allow it in for the truth of 


5 the matter or just the fact that they received the invoice? I 


6 can allow it in for the fact they received the invoice but not 


7 FOr == 


8 MR. N ive fact the services were 


9 performed. 


11:06 10 THE COURT: The 1 t the services were performed. 


11 That's how I'm thinking o 


12 MR. KOSTO: May I add one caveat to that? 


13 THE COURT: Yeah. 
14 MR. KOSTO: Consistently, in Mr. Fernich's exam on an 


15 admitted exhibit, he referred to the location written in the 


16 document and said, "You don't see Russia here, this came from 
17 New York, this came from Minnesota." That's the exact same 


18 issue. 


19 THE COURT: You have other documents that show Boston. 


11:07 20 MR. KOSTO: That document has the IP address on it. 


21 It has the name of the data center on it. And that was created 


22 in the ordinary course of Micfo's business. Before we throw 


23 this invoice out as unreliable -- 


24 THE COURT: I haven't ruled. I'm not thinking of it 


25 as a 609 issue or an 807 issue. 
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al MR. KOSTO: But in the absence of a 609 issue, there 


2 would be no reason to keep it out. 


3 THE COURT: It's a company excuse me. You don't 


4 have a custodian from that company saying, we generated these 


5 service documents in the ordinary course, but it could be 


6 sufficient for the address. So I just need to think it 


7 through. It's just a business record issue, a run-of-the-mill 


8 business record issue. So what's the name of that company? 
9 MR. FRANK: StackPath. 
11:07 10 THE COURT: Received an invoice from someplace called 


11 such and such, which lists this address. There's no reason to 


12 believe the address is fraudulent. Whether the dates ar 


13 truthful, I'm not sure you've established a custodian who kept 


14 those dates in the ordinary course. So think about it from 


15 that vantage point and —- 


16 MR. FERNICH: But it goes beyond that because there's 


17 a confrontation issue as well. They're offering it to -—- to 


18 the extent they're offering it to prove the truth of the matter 


£ 


19 asserted, I've got no issue on the custodian part of it, but 


£ 


fer the assertions within the document for their 


11:08 20 they want to o 


AL truth. And this was an LLC. It's not a situation where it's 


22 BM or Arthur Andersen or some person that has nothing to do 


23 with it. 


24 THE COURT: I'm not deciding the issue, because I'm 


25 tired and I'm sure the court reporter is tired. I received 
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1 this at 10:00 last night. It was sort of going down a path I 


2 wasn't going on a 609, so you were a little bit -- I see why 
3 they were worried, but let's talk about it later. Okay? 
4 MR. FRANK: At some point, Your Honor, we do need to 


5 address the exhibits for Mr. Hitchcock, though. 


6 . FERNICH: You're talking about the Threema 46 


8 THE COURT: We can't do it right now. 

9 (A recess was taken, 11:09 a.m.) 
11:39 10 (Resumed, 11:39 a.m.) 
Li MR. FRANK: Your Honor, would you like us to call the 
12 next witness when this is over, or do you want to take a break? 
13 THE COURT: No. We'll call the next witness. We'll 
14 get it going. 


15 MR. : We're going to get to an objection pretty 


17 : ll, what's the objection to? 


18 MR. : f the photographs. 


19 THE : ] IT thought we went through the 


11:40 20 photographs. 


21 MR. NEMTSEV: They still want to put in the objected 


22 ; There's a few that we -- 


23 THE COURT: Not the seven are these the objected-to 


24 photos? 


25 MR. FRANK: I don't know what your Honor has. 
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1 them pulled here, and then there's the one with the cars, which 


2 we've now redacted the Porsche insignia. I don't know what 


3 your Honor is looking at. 


4 THE CLERK: Judge, they gave me a pile of exhibits 


bs that were objected to, and each one has a letter on it. 


6 MR. KOSTO: These are mainly photos that the Court 


7 reserved on, but here we are. 


8 THE COURT: Excuse me. I haven't seen most of these. 


9 I've only seen one of them. 


11:41 10 THE CLERK: Judge, these are for the next -—- okay, 


12 THE COURT: 


13 (Pause.) 
14 THE COURT: What's taking so long? 


15 (Discussion between the Court and Clerk.) 


16 THE CLERK: Okay, let me just bring them in right now. 
17 All rise for the jury. 


18 (Jury enters the courtroom.) 


19 THE COURT: Thank you. 


11:43 20 THE CLERK: You can be seated, everyone. Thank you. 


21 MR. FERNICH: Judge, may I proceed? 


22 THE COURT: Yes. 


23 CROSS-EXAMINATION BY MR. FERNICH: 


24 Q. Good morning, Mr. Lewis. My name is Mark Fernich. I'ma 


25 lawyer for the defendant, Mr. Klyushin. We don't know each 
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al other, sir, do we? 


2 : No, sir. 


3 ‘ We've never met or spoken, have we? 

4 : No, sir. 

5 : And you spoke with the government back on January 18, a 
6 couple weeks ago? 

7 : That's correct. 


8 ‘ Have you spoken with the government since that time? 


9 , I spoke with them last night as well. 


11:44 10 : Did you speak with these prosecutors, Mr. Frank and 

11 . Kosto? 

12 ; That's correct. 

13 : And they asked you some questions? 

14 : Yes, sir. 

15 ‘ And you gave them some answers? 

16 : Yes, sir. 

ay : And the purpose of that was to prepare for your testimony 


18 today, correct? 


19 : That's correct. 


11:44 20 : Now, Mr. Lewis, you told us on direct that you'd been —- 


21 you've been working for DFIN, should say, since around 2014; 


22 is that right? 
23 
24 : So nine years or so? 


25 . Yes, sir. 
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1 ‘ And you told us that DFI I'm paraphrasing -—- handles 


2 fidential client financial information; is that correct? 
3 . Yes, Sir, 


4 QO. And you and other employees —-- well, strike "you." 


5 Employees of DFIN are required to sign nondisclosure agreements, 


6 correct? You testified to that? 


7 A. Yes, sir, including myself. 


8 Q. Yes. Okay, thank you for that. And there are formal 


9 policies in place at DFIN to protect the sensitive information, 


11:45 10 correct? 

11 A. Yes, sir. 

12 Q. And among those are the provisions dealing with 

13 nondisclosure, right? 

14 A. Yes, sir. 

15 Q. Now, basically you're in sales? That's your job, right? 
16 A. Yes, sir. 

17 Q. And you're in sales around the ActiveDisclosure system, 


18 correct? 


19 A. That is correct. 
11:45 20 Q. And you covered the South Texas and Louisiana areas back 


2] in 2018 through '20; is that right? 


22 A. Yes, sir. 
23 Q. And you told us that some of your clients are oil and gas 
24 companies? Yes? 


25 A. Yes, sir. 
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i Q. Naturally, being from Texas, that's a big industry there, 
2 right? 
3 A. Correct. 


4 QO. And some of those are large oil and gas companies, to your 


5 knowledge? 
6 A. Yes, sir. 


7 Q. Can you tell me the names of some of the larger ones that 


8 as a Northeasterner, might be familiar with. 


9 : ConocoPhillips, BP, Exxon, Shell. 
11:46 10 : Okay, some real big oil and gas companies, correct? 


11 : Yes, sir. 


12 ‘ And I think you told us on direct that, as part of your 


13 job, you have used the ActiveDisclosure system in something 


14 called the demo environment. That's right? 


15 A. Yes, sir. 


16 ‘ act, the entire sales team nationwide had access 


17 to that platform; is that right? 


18 : Yes, sir. 


19 : And you worked principally out of an office in Houston? 


11:46 20 2 That's correct. 


21 : But you also had the ability to work remotely, you told 
22 correct? 


23 3 That's correct. 


24 ; And you could work from home specifically, if needed? 


25 . That's correct. 
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aL: Q. Right. And, sir, do I have this right that -- we're 


2 talking about 2018 through '20 now -—- that's the period that's 


3 at issue in this case —- you traveled to Florida sometime 


4 during that period? 


5 A. I don't recall if I did, but it's very possible. 


6 Q. Okay, to New York? 
7 A. Very possible. 
8 Q. And how about to Arizona? You told us that you traveled 
9 to Arizona? 
11:47 10 A. Very possible, yes, sir. 
11 ; Okay. And was that for group training work in Arizona? 
12 : Yes, Sir, it would have been. 


13 : Tell me about the group training a little bit. How many 


14 DFIN employees attended something like that? 


15 : It would have been three or four, not very many. 
16 : Just a few? 
17 : Yes, sir. 


18 : And how many times or how many group trainings did you 


19 attend in Arizona during that period? 


11:47 20 A. I believe just one. 
21 Q. And how long would that group training session have 
22 lasted? 


23 A. Two or three days. 


24 Q. A couple of days. Do you know somebody at DFIN called 


25 Julie Soma? 
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al : Yes, sir. 

2 : And was she at that same group training session? 

S : No, she wasn't. "No" was the answer. 

4 ‘ She wasn't. When you were there, did you use a laptop at 
5 the group training? 


6 A. Yes, I dad. 


. : Did you use a smartphone there? 


8 : Yes, I did. 


9 ; And so you had access to the Internet there through those 
11:48 10 devices, correct? 
11 A. That's correct. 
12 Q. Okay. And back then in 2018 through '20, all you had to 
13 do to access the system was enter a user and password 


14 combination; is that right? 


15 A. That is correct. 


16 ‘ Do you know what multifactor authentication is? 


Ly 7 I do now. 


18 . And that wasn't in place back then at DFIN, was it? 


19 : That's correct. 

11:48 20 ; There was no special security code that you have to enter? 
21 : That's correct. 
22 : No other enhanced security measures, just the user and 
23 password combination? 


24 A. To my knowledge, that's correct. 


25 Q. And as part of your job, you would visit client sites in 
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i the sales territory? 


2 : Yes, sir. 


3 ‘ And when you were visiting client sites, sometimes you 
4 us you would use Wi-Fi to access the system? 


5 ‘ Yes, sir. 


6 : Did you visit any oil and gas company client sites during 


7 period? 


8 : I don't -- I don't understand the question. 


9 Q. Sure. Among the client sites that you visited, were some 
11:49 10 of them oil and gas companies? 
11 : Yes, sir. 


12 ‘ And some of them were large oil and gas companies? 


13 : Yes, sir. 

14 : Like the ones that you mentioned a couple minutes ago? 
15 : Correct. 

16 : You had a smartphone during that time period? 


17 : Yes, sir. 


18 ‘ And the smartphone naturally had Internet access; is that 


19 correct? 

11:49 20 A. That's correct. 
21 Q. And sometimes you would also access —- use wifi to access 
22 the system from home? 


23 A. That's correct. 


24 Q. I'm going to ask you a little bit about the 


25 ActiveDisclosure platform. To your knowledge, A 
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1. : It is the previous platform that we're discussing at this 


3 Q. Okay. And it was a cloud-based solution for building and 
4 filing SEC documents; is that fair to say? 


5 A. Yes, sir. 


6 Q. And to your understanding excuse me, 
i you hear me? 


8 A. 


9 Q. -- cloud computing involves the delivery of computing 


11:50 10 services over the Internet? Yes? 


11 A. That's not how I would describe it, but, 


12 ‘ 1, tell me in your own words. 


13 : loud-based application is just something that sits ona 
14 web application and works -- is not a hard desktop application. 
15 Q. Right, it works through the Web. Yeah? 

16 A. Yes, sir. 


17 Q. that's in contrast to, say, setting up an on-site data 


18 center with servers and other physical infrastructure, is that 


19 right, to your understanding? 
11:51 20 A. To my understanding, yes, sir. 


21 MR. KOSTO: Objection to foundation. 


22 MR. FERNICH: I'm asking about his knowledge of it. 


23 He works on the system. 


24 THE COURT: Do you know? 


25 THE WITNESS: I'm not aware. don't know 
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1 if it sets up servers or what it does. 


2 Q. It doesn't do that, correct? 


3 F I wouldn't know that. 


4 O.. Well, you told us on direct that it was a cloud-based 


5 platform. You testified to that, right? 


6 A. Right, but I don't know what the workings of the back end 


7 of the application do or don't do. 


8 Q. Fair enough, but you told us it works over the Web, which 


9 is really all I'm getting at. Yes? 
11:51 10 MR. KOSTO: Objection. 
11 THE COURT: To your knowledge, does it work through 


12 the Web? 


13 : Yes, your Honor, it works through the 


15 Q. And you sort of anticipated my next guestion. The Web is 


16 short for the World Wide Web; is that correct? 


17 A. To my knowledge, yes, sir. 


18 Ox And that's because people all over the world can access 


19 and connect to it; is that right? 


11:52 20 A. That's correct. 


21 Q. Now, turning specifically to the AD system, I think you 


22 told us on direct that multiple people can collaborate on 


23 documents through the ActiveDisclosure system? Yes? 


24 A. That's correct. 


25 Q. And in fact, that's the whole point of the ActiveDisclosure 


11:52 10 
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system, isn't it? 


A. 


Not the whole point -- 


But a point? 
Yes, sir, a point. 


And you have some general knowledge -- I'm not talking 


about, you know, the specific granular technical aspects of it, 


but you sold it, so you have some general knowledge of how the 


product works; is that right? 


A. 


Q. 


That's correct. 


So let me ask you something? Do you know -—- and if you 


don't, you don't -—- what if you were logged onto the 


ActiveDisclosure system and somebody uses your credentials to 


11:53 20 


21 


22 


A. 


Q. 


here 


your 


log on, would the original person be kicked out in that 


instance? Do you know? 


I'm not aware. 


I'm almost done. This is the last question. As you sit 


today, you have no idea who, if anyone, might have used 


log-in credentials without permission to access DFIN's 


computer system; is that correct? 


A. 


That's correct. 


‘-ERNICH: Okay. Thank you very much. 


RE 


ECT EXAM ‘ION BY MR. KOSTO: 


23 


24 


25 


Q. 


In order to collaborate, Mr. Lewis, on a document, do you 


need a DFIN password and a DFIN username? 


A. 


Yes, sir. 
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1 : Nobody in the world can collaborate without that, right? 
2 ‘ That's correct. 

3 : Just because it's on the World Wide Web doesn't mean it's 
4 to anyone who doesn't have a password or a username? 


5 : To my knowledge, there is still security around it. 


6 MR. KOSTO: Do you need that one again? 
7 Q. Just because it's on the World Wide Web, Mr. Lewis, that 


8 doesn't mean you don't need a username and a password to 


9 collaborate on a DFIN document? 


11:53 10 A. That's correct. To my knowledge, there is still security 
11 around it. 


12 MR. KOSTO: Thank you. 


13 ECROSS-EXAMINATION BY MR. FERNICH: 


14 ‘ But there wasn't multifactor authentication, right? 

15 7 No, sir, not at the time. 

16 : There wasn't a special security code beyond the username 
Af and password? 


18 A. That's correct. 


19 On There weren't any enhanced security measures to protect 


11:54 20 this confidential information? 


21 A. That I don't —- I wouldn't know that. To my Knowledge, 


22 there was additional securities that was behind it. I just 


23 wasn't aware, but we had a soft-compliance staff. 


24 Q. Okay, but not the multifactor authentication that's 


25 provided? 


11:54 10 


11:55 20 


21 


22 


23 


24 


25 
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That's correct. 


MR. 


F 


KERN 


CH: Okay. Thank you very much. 


THE COURT: Thank you. You may step down. 


(Witness excused.) 


THE COURT: Next witness? 


MR. FRANK: The government calls Special Agent David 


Hitchcock. 


having been 


follows: 


THE WI] 


MR. FRANK: 


THE COURT: 


MR. FRANK: 


ERK 


DAVID HITCHCOCK 


first duly sworn, was examined and testified as 


: Could you state and then spell your last 


[TNESS: David Hitchcock, H-i-t-c-h-c-o-c-k. 


May I proceed, your Honor? 
Yes. 


Thank you. 


IRECT EXAM 


NAT 


ON 


BY MR. FRANK: 


Good barely morning, Special Agent. 


Good morning. 


Where do you work? 


The FBI. 


How long have you worked at the FBI? 


Since 2006. 


What is it that you do at the FBI? 


I'm a special agent. 
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1 ‘ How long have you been a special agent? 


2 ‘ Since March of 2009. 


3 ‘ What did you do before, between 2006 and 2009 at the F 


4 ‘ I was an IT specialist. 

5 : Are you currently assigned to a specific squad? 

6 : Yes’ 

. : What squad are you assigned to? 

8 : The Major Cybercrime Squad. 

9 : How long have you been assigned to the Major Cybercrime 
11:55 10 Squad? 


11 A. Since March of 2009. 


12 Q. Tell us a little bit about your educational background. 


13 How far did you go in school? 


14 : I have a bachelor's in science and computer science. 


15 : And when did you obtain that? 


16 . In 2005. 


17 ‘ What did you do between the time you graduated from 


18 college and joined the FBI? 


19 A. I was a software engineer. 


11:56 20 Q. Upon joining the FBI, what kind of specialized training 


21 did you receive? 


22 A. General law enforcement and specialized cyber training. 
23 THE COURT: What did you do as a private software 


24 engineer? 


25 THE WI] I for various industries, 
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1 manufacturing, healthcare. I was an architect of databases and 


2 software that would run on top of those databases. 
Si THE COURT: So not cybersecurity? 


4 THE WITNESS: No, ma'am. 


5 OF Since being assigned to the Major Cybercrime Squad, what 
6 kinds of cases have you been involved in? 


7 A. Financially motivated computer intrusions. 


8 Q. What are financially motivated computer intrusions? 


9 A. They involve access, unauthorized access to sensitive data 


11:57 10 and information, and then on the other side of that, how that 


1] information is monetized. 


12 Q. When you say "monetized," you mean what? 


13 A. So if it's stolen bank account information, how those bank 


14 accounts could be liquidated, account takeover. I it's stolen 


is) data, how it could be sold, bought, or traded. Those are -—-— 


16 Q. How people take it and make money? 


17 A. By either using the information themselves if it's a 


18 stolen credit card, or in this case, if it were stolen 


19 financial information, they might make a decision based on that 


11:57 20 stolen data. 


21 : Did there come a time when you were assigned to an 


22 tigation involving the defendant, Vladislav Klyushin? 


23 


24 : And when was that? 


25 . The fall of 2019. 
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1 ‘ What was your role in the investigation? 


2 ‘ I was a co-case agent. 
3 Q. And just so the jury understands, what does it mean to 


4 a co-case agent? 


5 A. I co-led an investigative team that was comprised of 


6 computer scientists, linguists, and other FBI personnel. 


7 Q. How did the investigation begin? 


8 : We received a referral from the United States Securities 


9 Exchange Commission. 


11:58 10 : What was the nature of the referral that you received | 


11 EC? 


12 A. Several Russian nationals were identified as trading at 


13 the same time, in the same company names, very profitably, 


14 right before news releases related to the financial earnings 


15 and statements for those said companies. 


16 MR. NEMTSEV: Objection, your Honor, to "several." 


LS) THE COURT: To what? 


18 MR. NEMTSEV: Several, the quantity several. 


19 definitive. 
11:59 20 THE COURT: Overruled. 
21 Ox What were your next steps upon receiving that referral 


22 from the SEC? 


23 A. We looked to identify a relationship amongst the 


24 individuals that had been named. We also looked to identify a 


25 single source or something common amongst all of the companies 
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i that were identified as being traded because they span such a 


2 wide variety of industries and sectors. 


3 Q. Why did the fact that they span a wide variety of 


4 industries and sectors cause you to look for a common 


5 denominator among them? 


6 A. Because one individual trading in that many different 


7 companies at a very opportune time right before news is 


8 released to the public, and it not being limited to one 


9 industry, one single source, a person or an insider at that 
12:00 10 particular company, was very suspicious. 


11 Q: What, if anything, did you find out about the companies 


12 that were the subject of the trading? 


13 A. We learned that the companies that were being traded by 


14 these individuals all filed their SEC filings through two 


15 filing agents. 


16 : What were those two filing agents? 


17 ‘ Toppan Merrill and Donnelly Financial. 


18 : What did you do next? 


19 : We reached out to those companies. 


12:00 20 : Why did you do that? 
21 : To see if they had been hacked. 


22 ‘ As part of your investigation, did there come a time when 


23 you reviewed documents associated with a company called M-13? 


24 A. 


25 Q. And as part of that, did there come a time when you 


12:01 10 


12:02 20 


21 


22 


23 


24 


25 
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lable website? 


adislav KI] 


yushin. 


And when was that arrest? 


That arrest occurred on March 21 of 2021. 


Why didn't you review the website prior to arresting the 


defendant? 


A. We were investigating a very sophisticated group of 


hackers and —— 


MR. FERNICH: Objection. 


THE COURT: Sustained. 


Q. What language or languages is the website in? 


A. The M-13 website had both a Russian language and English 


language version. 


MR. FRANK: Tf we could have -—- well, your Honor, how 


would you like me to proceed with respect to exhibits, for the 


witness only and then introduce them one by one? 


THE COURT: Yes. If they're unobjected to, you can 


just introduce them. 


MR. FRANK: Okay, thank you, 


have Exhibit 59, and I would offer i 


ae 


MR. NEMTSEV: No objection. 


What is this document, Special 


(Exhibit 59 received in evidence.) 


Agent? 


your Honor. If we could 


12:02 10 


12:03 20 


21 


22 


23 


24 


25 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 129 of 182 


3-129 


This is the Russian language version of the M-13 homepage. 


And you see at the top there 


MR. FRANK: I'm not sure if 


"s two tabs. 


can indicate on my 


computer. Ms. Molloy, can I indicate on my computer? 


THE CLERK: No, that is not working, 


but Jen can. 


MR. FRANK: Jen, could you indicate -- exactly. You 


read my mind. 


I do. 


Do you see those two tabs there? 


So this is the Russian language tab? 


Yes. You can note the oval around the letters "RUS." 


MR. FRANK: I'd offer Exhibit 60A. 


THE CLERK: 60A as in apple? 


MR. FRANK: Yes. 


Exhibit 60A received in evidence.) 


What is Exhibit 60A? 


This is the M-13's English version of 


the website. 


And this is a particular page from that website? 


Yes, sir. 


Could you read it for the record, please. 


"Monitoring and analysis of mass media and social media, 


M-13 Company specializes in IT sol 


£ 


utions 


and employs a staff of more than 


100 developers, 


or media monitoring, 


linguists, 


media analysts, and other experts who have necessary skills and 


expertise in creating powerful and commercially successful 
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1 automated tools for monitoring and media analysis. 


2 IT solutions developed by the M -13 are used by the [redacted] 


3 the Government of the Russian Federation, federal ministries 


4 and agencies, regional state executive bodies, commercial 


5 companies and public organizations." 


6 Q. Thank you, Special Agent. 


7 MR. FRANK: Could we have Exhibit 61A, please, and I 


8 offer it. 


9 (Exhibit 61A received in evidence.) 


12:04 10 O. Special Agent, is this another page from the English 


‘lal language version of the M-13 website? 

12 A. 

13 Q. Could you read the first heading and the bullet points, 
14 please. 


15 A. "Research and information system for online media 


16 monitoring. News displayed in online mode. Express analysis 


17 of information field. Rapid detection of information attacks. 


18 Performance evaluation of press services and promotional 


19 events." 


12:04 20 Q. And I neglected to ask you if you could just read the 
21 heading at the top of this page. 
22 A. Katyusha. 


23 MR. FRANK: Could we have 62A, please, and I 


24 


25 Exhibit 62A received in evidence.) 
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1 Q. Special Agent, is this another page from the English 


2 language version of the M-13 website? 
3 A. 


4 O. Could you read the heading at the top and the top half 


5 the page, please. 


6 A. "Cybersecurity. Cybersecurity audit. Ensuring the 


7 cybersecurity of its infrastructures is a priority of any 


8 company. Hacker attacks can lead to huge ramifications. Major 


9 financial and reputational damage. Industrial cyber espionage. 


12:05 10 Blackmail of company management or random employees. Theft and 


11 leakage of confidential information, company's solutions and 


12 know-hows. Risk of costs and massive data losses while being 
13 unable to restore backups in case of hackers using the 


14 encryption software. M-13 provides a comprehensive service 


LS package in cybersecurity. If you need a consultation or have 


16 any questions, please contact us by email: Mis@m-13.ru." 


ay Q. And that .ru, are you familiar with that suffix on an 


18 email address? 


19 Ax . It refers to the Russian top-level domains. 


12:06 20 Q. And under the heading "Services we provide," could you 


21 read bullet points 2, 3, and 4, please. 


22 A. "Penetration testing (white box, black box) advanced 


23 persistent threat (APT) emulation. Conducting the ‘instant 


24 response' exercises between blue team and red team." 


25 MR. FRANK: Could we have Exhibit 63A, please, and I 
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2 (Exhibit 63A received in evidence.) 

i) Q. Special Agent, is this another page from the M-13 English 
4 language version of the website? 

5 A. 

6 Q. Could you read what it says under "Penetration testing," 
7 please. 

8 A. "Penetration testing. Penetration testing is meant to 


9 detect security vulnerabilities. Classic penetration testing 


12:07 10 methods include: White box (white box method). Targeted 


ala software testing, which assumes that the internal 


12 structure/implementation of the system is known in advance. 


13 Black box (black box method). Targeted testing, which assumes 


14 no prior knowledge of the structure/implementation of the 


15 tested system." 
16 MR. FRANK: And, Ms. Lewis, if we could go to the next 
17 portion of the page, "Advanced persistent threat emulation." 


18 Q. Special Agent, could you read that, please. 


19 A. "Advanced persistent threat (APT) emulation. The most 


12:07 20 sound and modern method of testing and analyzing the 


21 infrastructure security. Our experts imitate a full-scale 


22 targeted attack, during which the attacker, while trying to 


23 conceal his presence, uses a wide range of actions against the 


24 organization's infrastructure." 


25 MR. FRANK: Could we have Exhibit 64A, please, and I 
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2 (Exhibit 64A received in evidence.) 


3 Q. Special Agent, is this a continuation of this section of 


4 the M-13 website in English? 


6 : I'd like you to please read for the jury the section under 


. Instant response exercises." 


8 A. "On average, the detection of system penetration takes 


9 from 6 months to a year. During this period, an intruder is 


12:08 10 able to inflict significant damage. We offer a security 
11 response check, which helps to train the security team and 


12 fine-tune all the available security features." 


13 Q. Special Agent, in addition to the pages that we just 


14 reviewed, did you and your team review the rest of the M-13 


15 website? 


17 Q. Was there anything in the pages that we just reviewed or 


18 on the rest of the website dealing with money management or 


19 investing? 
12:09 20 A. No. 


21 MR. FRANK: Could we have Exhibit 141 on the left and 


22 141A, please, on the right, and I'd offer these two exhibits. 


23 (Exhibits 141 and 141A received in evidence.) 


24 ‘ Special Agent, what are Exhibits 141 and 141A? 


25 . 141 is a Russian language version of 141A, which is an FBI 
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] translation of 141. 


2 0. And if you could please read from the translated version 


3 what this document is. 


4 A. "Redteam-company campaign for corporate information system 
5 of Avilex LLC. Technical and commercial proposal," and it's 

6 dated 2019. 

a MR. FRANK: Ms. Lewis, if we could at 141A go to 


8 Page 4, please. 


9 Q. Special Agent, could you please read under "Services 


12:10 10 offered" what it says under bullet point 1, "External 


‘Lal penetration testing." 


12 A. "External penetration testing aimed at finding ways the 


13 external intruder penetrates the customer's local area network 


14 (LAN) using vulnerabilities and errors in network devices's 


15 configurations, as well as network services and applications 


16 accessible through the Internet. Work is carried out in the 


Ay following order: Obtaining preliminary information about the 


18 network perimeter based on the sources of information available 


19 to the potential offender (search engines, news, conferences, 


12:11 20 et cetera). Scanning network perimeter nodes. Identifying 


21 types of devices, operating systems, and applications that 


22 react to external impact. Identifying network service 


23 vulnerabilities. Security analysis of network infrastructure 


24 and email services. Instrumental testing. Initial results 


25 analysis. Manual vulnerability verification. Manual analysis 


12:12 10 
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£ 


f obtainable resources (including analysis of 


pt 


the possibil 


_ 


versions o 


ity o 


software and network services). Identification 


exploitation of known vulnerabilities of 


sensitive data stored in open form. Detection of unsafe 


configurations of network equipment and servers. Analysis of 


£ 


security of 


box method; 
information 


of the most 


external corporate Web applications by the black 


that 


is, from intruder's end that has neither 


nor the logical access to the system. Exploitation 


dange 


network perimeter 


rous vulnerabilities in order to breach the 


(including exploitation of known 


og 


vulnerabilities of outdated versions of software and network 


services). 


Obtaining credentials to access servers, network 


equipment, database management systems, Web applications. 


Identification of sensitive data stored in open 


we 


form. Use of 


unsafe configurations of network equipment and servers. 


12:13 20 


21 


22 


23 


24 


25 


specialists, 


Identification of possible countermeasures for the customer's 


as well as reaction measures for intrusion 


detection and prevention systems." 


Q. Special Agent, where did you find this proposal? 


A. This was communication sent -- well, where it was found 


specifically was 


in Vladislav Klyushin's Apple account. 


Q. And we'll get to how you obtained it there in just a 


moment, but you were about to say where it was sent and by 


whom. 


A. And this was 


found within the WhatsApp communications 
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1 between Vladislav Klyushin and an individual associated with 


2 the Avilex LLC document, which was on the cover page, anda 


3 person with the name Sergey Uryadov. 


4 Q. This was communicated to the defendant by Sergey Uryadov? 
5 A. Yes. 


6 MR. FRANK: Could we have Exhibit 149, please, and I 


7 offer it. 


8 (Exhibit 149 received in evidence.) 


9 Q. As part of your investigation, Special Agent, did you 


12:14 10 review M-13's publicly available Facebook page? 
11 : Yes. 


12 . What is Exhibit 149? 


13 : This is a screenshot of that Facebook page. 


14 : And if I could direct your attention to the right-hand 


15 side of the Facebook page, do you see under the entry "M-13" 
16 there's a date? 
17 A. March 21, 2019. 


18 Q. And then there is several paragraphs in Russian. Do you 


19 see that? 


12:14 20 Z I do. 


21 : And then there is a section in English. Do you see that? 


22 2 Yes. 


23 : Was that an FBI translation or something else? 


24 ‘ This is machine translation offered by Facebook. 


25 : Could you read into the record, please, the first 
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1 paragraph of the English translation and then the first two 


2 sentences of the second paragraph. 


3 : [Information security plays a key role in modern business. 


4 The consequences of hacking attacks can be huge. M-13 provides 


5 a list of information security services for large companies and 


6 small businesses." 


7 Q. And if you could just continue the first two sentences of 


8 the next paragraph. 


9 A. "We are contacted by clients with various inquiries. Most 


12:15 10 often, they concern red team campaigns. We completely simulate 
11 the actions of a cyber crime group." 

12 Q. Thank you. 

13 MR. FRANK: Ms. Lewis, you can take that down. Thank 
14 you. 

15 Q. Special Agent, a moment ago you mentioned obtaining 


£ 


16 documents from the defendant's iCloud account, and I'd like to 


£ 


LS} ask you a few questions about that. As part of the 


18 investigation, did there come a time when the government 


19 obtained search warrants? 
12:15 20 A. 
21 O. What is a search warrant? 
22 A. A search warrant is a court-authorized order that allows 


23 for the seizure and search of a thing. It can be a house. It 


24 can be a filing cabinet at a business. It can be an email 


25 account. 


12:16 10 


12:17 20 


21 


22 


23 


24 


25 
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And who authorizes the search warrant? 


A federal judge. 


What kinds of 


search wa 


rrants -—- well, did the government 


obtain search warrants in this case? 


VES: 


What kinds of search warrants did the government obtain? 


Email account 


accounts. 


Q. 


A. 


What can you 


s, social media accounts, Apple iCloud 


search in 


The items that have bee 


account. 


Q. 


A. 


What kinds of 


It can be documents. 


items are 


like email or chat communica 


Q. 


Do you always 


an Apple iCloud account? 


n backed up to the Apple iCloud 


those? 


It could be photos, communications 


tions. 


find all 


of those things when you search an 


Apple iCloud account? 


MR. FERN 


THE COURT: 


Did you find 


CH: Objection. 


all of tho 


Sustained. 


se things in the iCloud accounts 


you searched in this case? 


No. 


No. 


MR. FERN 


Each of the accounts? 


Based on your training and experience, why not? 


CH: Objection. 
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1 THE COURT: Sustained. 


2 Q. Special Agent, are you familiar with how backing items up 
3 to the iCloud works? 
4 A. Yes. 


5 QO. How does it work? 


6 MR. FERNICH: Objection. 


7 THE COURT: Overruled. 


8 A. Items can be backed up based on a variety of circumstances. 


9 In certain instances, items are backed up automatically by the 


12:17 10 operating system of the device. It can be the specific things 


11 that a user has chosen to be backed up. In certain instances, 


12 things are backed up and a user decides to delete them, so you 
13 wouldn't expect to -- 


14 MR. FERNICH: Objection. 


15 THE COURT: Yes, this is just going too far afield. 
16 Only ask about this case. 


ay Q. What were some of the iCloud accounts that you —-- that the 


18 EF searched as part of this investigation? 


19 A. Could you repeat the question, sir. 


12:18 20 QO. What were some of the iCloud accounts that the F searched 


21 as part of its investigation? 


22 A. Vladislav Klyushin, Igor Sladkov, Ivan Ermakov, Mikhail 


23 Irzak, Nikolai Rumiantcev, Olga Opukhovskaya, and others. 


24 Q. You mentioned a name we hadn't heard before, Olga 


25 Opukhovskaya. Who's that? 
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1 MR. FERNICH: Objection, foundation. 


2 THE COURT: Do you know who it is? 


3 THE WITNESS: Yes, ma'am. 


4 THE COURT: Overruled. 


5 : Olga Opukhovskaya is Igor Sladkov's cohabitant. 


6 ‘ Do they have children together? 


i : They do. 


8 ‘ Did you personally review each and every document in all 


9 of those iCloud accounts, or were there others involved? 


12:19 10 A. We obtained a voluminous amount of information from 


11 various email accounts and Apple iCloud accounts, and the 


12 investigative team reviewed those, and I was a part of that 


13 team. 
14 Q. Prior to coming to court today, have you had an 


LS opportunity to review certain exhibits that were obtained by 


16 means of those iCloud search warrants? 
Ly A. Yes. 


18 MR. FRANK: I'd like to offer Exhibits 1, 2, 


19 6, 7, and 8. And, Special Agent, I'm going to take you through 


12:19 20 each of those in turn beginning with Exhibit 1. 


AL Exhibits 1-8 received in evidence.) 


22 : is this? 


23 : is a picture of Vladislav Klyushin's passport. 


24 . Exhibit 2? 


25 . This is a picture of Nikolai Rumiantcev's passport. 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 141 of 182 


3-141 


1 ; Exhibit 3? 


2 ‘ This is a picture Ivan Ermakov's passport. 


3 ‘ Exhibit 4? 


4 ‘ This is a picture of Boris Varshavkiy's passport. 


5 ; Exhibit 5? 


6 : This is a picture of Sergey Uryadov's passport. 


7 : Exhibit 6? 


8 : This is a picture of Alexander Borodaev's passport. 


9 : And based on your investigation, does he go by another 
12:20 10 name? 
11 A. Sasha. 


12 . Exhibit 7? 


13 : This is a picture of Mikhail Irzak's passport. 


14 . Exhibit 8? 


15 : This is a picture of Igor Sladkov's passport. 


16 : Thank you, Special Agent. 


17 MR. FRANK: Ms. Lewis, you can take that down. 


18 could call up on the left Exhibit 58 and on the right 


19 Exhibit 58A, and I'd offer those two exhibits. 


12:21 20 (Exhibits 58 and 58A received in evidence.) 


21 7 Special Agent, what are we looking at in Exhibits 58 and 


22 


23 A. This is both a Russian language version and an F 


24 translated into English version of a list of employees involved 


25 in a construction project. 
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£ 


al: Q. Where was this document found? 


2 A. This was found both in Vladislav Klyushin and Nikolai 


3 Rumiantcev's Apple accounts. 


4 O.. Directing your attention to Exhibit 58A, could you read 


5 the heading on the page, please. 


6 A. "The list of employees involved in the construction of -—-" 


i and then there are several letters making an acronym. 


8 Q. Thank you. And if you look at the list, Special Agent, do 


9 you see that under "Employer" there are two entities listed? 
12:22 10 


11 , [ like to ask you some questions about some of the 


12 individuals listed under LLC M-13. n English, what does "LLC" 


13 translate to? 


14 A. Limited liability corporation. 


LS Q. Directing your attention to Item 13, do you see there's an 


16 entry there? 


17 : Yes, Vladislav Klyushin. 


18 ‘ Okay. And he's listed under M-13? 


19 Yes. 


12:22 20 . What is the title that's listed? 


21 : First Deputy Director General. 


22 : Item 14? 


23 : Zhannetta Klyushina. 


24 ‘ And how is Ms. Klyushina listed? What is her title? 


25 . Advisor to the Director General. 
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i : Directing your attention to 1] 


2 e van Ermakov. 


3 : He's also listed under M-13? 


4 : Yes. 


bs F What is his title? 


6 : Deputy Director General. 


7 . Item 27? 


8 : Nikolai Rumiantcev. 


9 : He's also listed under M-13? 


12:23 10 : Yes. 


11 : What is his title? 


12 : Deputy Director. 


13 ‘ Thank you. 


14 MR. FRANK: Ms. Lewis, if you could now put up 


15 Exhibit 248, and I'd offer it. 


16 (Exhibit 248 received in evidence.) 
17 : Special Agent, you see this is a group photo? 


18 : I do. 


£ 


19 : I'd like to ask you about the individual about four in 


12:24 20 from the right —-- Ms. Lewis, if you could indicate him —- 
21 wearing a suit and a brown tie. 


22 A. This is Nikolai Rumiantcev. 


23 Q. And who is the individual behind him and to the right in 


24 the corner? 


25 A. The defendant, Vladislav Klyushin. 
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1 MR. FRANK: Ms. Lewis, if you could call up 


2 Exhibit 13, please, and I'd offer it. 


3 (Exhibit 13 received in evidence.) 


4 : Special Agent, who's depicted in this photograph? 


3 F van Ermakov. 


6 MR. FRANK: And, Ms. Lewis, if you could enlarge the 


. portion of the photograph. 


8 Q. Can you read what it says on that sticker on Mr. Ermakov's 


9 shirt? 


12:24 10 : It has the M-13 logo. 


11 ‘ Where was this photograph of Mr. Ermakov wearing a sticker 


12 the M-13 found? 


13 : In the iCloud account of Vladislav Klyushin. 


14 Q. Sitting here today, do you have a memory of what the date 
LS of this photograph was, as indicated in the iCloud account? 


16 : : It was December 26, 2019. 


17 : Did you find other photos of Mr. Ermakov in Mr. Klyushin's 


18 iCloud account? 


19 A. Yes. 


12:25 20 MR. FRANK: The first of these, your Honor, is 


2] Exhibit O. 


22 MR. NEMTSEV: That's objected to, your Honor. 


23 THE COURT: Let me take a look. Well, why don't you 


24 fy it. What is it? 


25 MR. FRANK: He doesn't have it in front of 
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uc Honor. Let me —- 
2 THE COURT: He doesn't? 


Si MR. FRANK: May I approach? 


4 Q. Special Agent, could you tell the Court who is depicted in 


5 Exhibit O. 


6 A. This is Ivan Ermakov. 


7 Q. Where did you find it? 


8 A. This was located in Vladislav Klyushin's Apple account. 


9 MR. FRANK: I'd offer it.. 


12:26 10 MR. NEMTSEV: Your Honor, we objected to it. 


ded. COURT: Overruled. 


12 CLERK: Can I get the next number? 
13 MR. FRANK: 108. 
14 THE CLERK: Oh, you're going to put it in as 108. 


15 Thank you. 


16 (Exhibit 108 received in evidence.) 


17 : Special Agent, tell us what we're looking at. 


18 ; This is a picture of Ivan Ermakov at the 2018 World Cup. 


19 MR. NEMTSEV: Objection. 


12:27 20 COURT: What are we talking about now, 118? 


21 MR. FERNICH: Objection. 


22 MR. FRANK: 108. 


23 MR. FERNICH: Objection to the characterization and 


24 description. 


25 THE COURT: How do you know that? 
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1 THE WITNESS: There's a logo on the red shirt which is 


2 the logo for the —- 


3 MR. FERNICH: Objection. 


4 THE COURT: How do you know this? 


5 THE WITNESS: It's -—- it's the logo for the 2018 World 


6 Cup at Sochi. 


7 THE COURT: Overruled. 


8 THE WITNESS: There's also a logo on the lanyard, 


9 which is also for that same event. 


12:27 10 THE COURT: I'll allow it as so described. They can 


11 draw whatever inferences they want from it. 


12 : Were you also able to date this photograph? 
13 : Yes. 


14 : And how did the date correspond to the World Cup in Sochi? 


15 : It corresponded with the event. 


16 ‘ And, again, this photo was found where? 


Ay : In the Apple account of Vladislav Klyushin. 


18 MR. FRANK: Could we have Exhibit 123, please. 


19 : What are we looking at in Exhibit 123? 


12:28 20 : This is a picture of Ivan Ermakov sitting next to 


21 slav Klyushin at the same event. 


22 : Does this appear to be a selfie? 


23 : It is, yes. 
24 ‘ And again this was also found in the same location? 


25 . Yes. 
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i Q. Exhibit 109, please. Special Agent, was this photograph 


2 taken at the same event on a different day? 


3 A. Yes. You'll notice the red shirts in the background, the 


4 lanyards with the same logo, and it's within the date frame of 


bs the same event. 


6 ; Beginning on the left, can you identify the individual on 


7 far left? 


8 ‘ Yes. That is Zhannetta Klyushina. 


9 ‘ We saw Ms. Klyushina's name on that list of employees a 
12:29 10 moment ago? 


Ved. 7 Yes. 


12 é How is she affiliated with the defendant? 


13 : That is Vladislav Klyushin's wife. 


14 : And who is standing with his arm around her? 


15 : That is Vladislav Klyushin. 


16 ‘ Who is the individual next to Mr. Klyushin on the other 


18 : Sergey Uryadov. 


19 ; A moment ago we looked at a red team proposal document? 
12:29 20 : Yes. 
21 : And I believe you told us —-- well, tell us again, who sent 


22 document to whom? 


23 : Vladislav Klyushin sent that proposal to Sergey Uryadov. 


24 ‘ then jumping over the person in the middle, can you 


25 fy the person who's second from the right? 
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al ; van Ermakov. 


2 ‘ Could we look at Exhibit 110, please. Special Agent —-- 


3 MR. FRANK: Well, I'd offer 110, and, Ms. Lewis, if 


4 you could play 110, and I'm going to ask you to stop it shortly 


5 before the end. 


6 (Exhibit 110 received in evidence.) 


7 (Video played.) 


8 MR. FRANK: I'm afraid we're missing the audio. Can 


9 you pause it, please. We're still having audio problems. Can 


12:30 10 we pause it? 


11 Q. While we're paused, Special Agent —-- 


12 MR. FRANK: Ms. Lewis, if we could actually briefly 


13 up Exhibit 3. 


14 ‘ Do you see there's a date of birth listed —- 
15 : Yes. 

16 ‘ —-- on Mr. Uryadov's passport? 

17 ‘ Yes. 


18 2 What is his date of birth? 


19 . April 10, 1986. 


12:31 20 MR. FRANK: And, Ms. Lewis, with apologies for that, 
21 could you take us back to Exhibit 110. 
22 (Video played.) 
23 MR. FRANK: We still appear to be having audio issues. 


24 THE COURT: Well, is the audio important to you? 


25 : Well, Special Agent, can you tell us whether you were able 
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i to identify what was happening, audio-wise, in this video? 


2 A. Yes. The individuals at the table were singing Happy 


3 Birthday in Russian. 


4 ‘ You could tell from the melody? 


3 ‘ Yes. 


6 : The same melody we're familiar with in ] 


7 3 Yes. 


8 ; And what was the date? Do you recall the date of the 


9 photograph? 


12:32 10 A. April 10, 2018. 


11 Q. Okay, and if we could just play the video. 
12 (Video played.) 


13 MR. FRANK: Can we pause it. 


14 Q. Special Agent, who's the individual on the right of 


15 screen with the birthday cake in front of them? 


16 : van Ermakov. 


17 : And who is the male individual sitting across the table 


18 him? 


19 : That is Sergey Uryadov. 

12:32 20 ; Thank you. 
21 MR. FRANK: Ms. Lewis, you can continue. 
22 (Video played.) 
23 : Where was this video found? 


24 ‘ This was found in Vladislav Klyushin's Apple account. 


25 MR. FRANK: Could we have Exhibit 100, please, and I 
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12:34 10 


(Video played.) 


MR. FRANK: 


THE COURT: 


THE COURT: 
Q. Special Agent, 


Exhibit P? 


12:34 20 


21 


22 


23 


24 


25 


am. 


Who is it? 


3-150 


(Exhibit 100 received in evidence.) 


The next exhibit is Exhibit P, your Honor. 


Yes. 


approach the witness? 


(Discussion between the Court and Clerk.) 


Do we have the right -- 


are you able to identify the individual in 


This is Ivan Ermakov. 


Where was this photo 


MR. FRANK: 


found? 


[In Vladislav Klyushin's Apple account. 


offer it. 


MR. NEMTSEV: We 


we stated. 


THE COURT: 


object, your Honor, for the reasons 


Sustained. 


Q. Could we take a look at Exhibit 120, please. Special 


Agent, taking a look at 


Exhibit 120, who are the individuals on 


the far right sitting -- well, who's the first individual on 


far right in the fron 


The female is 


Zhanne 


Who is sitting next 


? 


tta Klyushina. 


to her making a V for victory sign? 
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1 : That is Vladislav Klyushin. 


2 : Who's the individual next to him? 


3 F van Ermakov. 


4 ‘ Who's the individual across from him, also making a V f 


5 victory sign? 


6 A. Sergey Uryadov. 


7 QO. Could we look at Exhibit 122, please. 

8 (Video played.) 

9 Q. Special Agent, was this video from the same location as 
12:35 10 the prior photograph? 
11 : Yes. 
12 : Who are the individuals depicted? 


13 : On the right is Vladislav Klyushin, and on the left is 


14 Ermakov. 


15 : And can you for the record describe what's happening. 


16 é Yes. The two are —- 


ike) MR. FERNICH: Objection. 


18 THE COURT: Sustained. 


19 MR. FRANK: Could we have Exhibit 119, please. 


12:36 20 : What are we looking at, Special Agent? 


21 : This is a picture of Ivan Ermakov on the top of a 
22 mountain. 


23 : Is this on the same day? 


24 : It is. 


25 : Where was this photo obtained? 
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dL: A. Vladislav Klyushin's Apple account. 


2 Q. Can we look at Exhibit 107, please. Where was this photo 
3 obtained? 


4 A. This was in Vladislav Klyushin's Apple account. 


5 Or. Who is the individual on the right with his back to the 
6 camera? 


7 MR. FERNICH: Objection. 


8 THE COURT: Sustained. 
9 Q. Were you able to identify that photo based on other photos 
12:36 10 found nearby? 


Ad. 7 Yes. 


12 : I'd ask the question again: Were you able to identif 


13 individual? 


14 . I was. 


15 ; Who was it? 


16 : Nikolai Rumiantcev. 


17 : Okay. And directing your attention to this individual 


18 that Ms. Lewis is indicating across the table, who is the 


19 individual with a red circle around him across the table from 


12:37 20 Mr. Rumiantcev? 


21 A. van Ermakov. 


22 MR. FRANK: Could we have Exhibit 106, please. 


23 : Where was this photo obtained? 


24 ‘ In the Apple account of Vladislav Klyushin. 


25 : Who is the individual on the left in a blue sweatshirt? 
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al A. van Ermakov. 


2 Q. Who's the individual opposite him on the right in a gray 
3 sweatshirt? 


4 A. Sergey Uryadov. 


5 Q. Could we have Exhibit 124, please. So where did you | 


6 this photograph? 


i : In the Apple account of Vladislav Klyushin. 


8 : Who is the individual the left? 


9 . In the white shirt, Ermakov. 


12:38 10 2 Who is the individual i the middle? 


11 : Sergey Uryadov. 


12 : Could we have Exhibit 125, please. Where did you | 


13 this photograph? 


14 : In the Apple account of Vladislav Klyushin. 


15 : Who's the individual on the right? 


16 : van Ermakov. 
17 : Who is the individual next to him? 


18 : Sergey Uryadov. 


19 : Could we have Exhibit 127, please. Who are the 


12:38 20 individuals -—-- well, who are the two males depicted in this 


21 photograph? 


22 A. The individual on the let foreground is 


23 Ermakov. 


24 Q. Who is the male on the right? 


25 A. Vladislav Klyushin. 


12:39 10 


12:39 20 


21 


22 


23 


24 
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And who's in between them? 


Klyushin's wife, Zhannetta. 


event. 


Speci 


Vladi 


I'd like to show you some other photographs from that same 


MR. FRANK: Can we have 128, please. 


Psi 


ei 


Agent, who's on the left? 


av Klyushin. 


Who's next to him? 


Anslem Shmucki. 


Who's on the right? 


Zhannetta Klyushina. 


MR. FRANK: Could we have 147, please. 


Beginning on the left, who's that individual? 


Alexander Borodaev. 


Who's the individual in the middle? 


Vladislav Klyushin. 


Who's the individual on the right? 


Boris Varshavksiy. 


The next exhibit is ] B and D, and actually W also 


goes with it. 


Q. 


is 


MR. FRANK: May I approach, your Honor? 


THE COURT: Yes. 


Special Agent, could you tell the Court who the individual 


in Exhi 


bit B. 


25 


THE COURT: I'm not sure 
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1 right. All right. 


2 Q. Special Agent, who's the individual in Exhibit |] 


3 A. This is Anslem Shmucki. 


4 MR. FERNICH: Objection, foundation. 


5 THE COURT: Sustained. 


6 Q. Special Agent, how do you know who the individual is in 


7 Exhibit B? 


8 A. Because of communications sent between Vladislav Klyushin 


9 and Anslem Shmucki. 


12:40 10 MR. FERNICH: Objection, foundation. 
11 THE COURT: Sustained. Why don't we deal with this at 
12 the break. 


13 MR. FRANK: Yes, your Honor. 


14 Q. Special Agent, as part of your review of the Klyushin 


15 iCloud backup, did you find any communications between the 


16 defendant and Mr. Ermakov? 


17 A. 


18 Q. Are you familiar with a messaging platform called 


19 "WhatsApp"? 
12:41 20 A. 
21 Q. What is WhatsApp? 


22 A. WhatsApp is a communications platform that can be 


23 installed on mobile devices, like a smartphone, and allows for 


24 encrypted exchange of text or audio. Messages could be sent 


25 between as well as audio. Think of it as a telephone call 
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al between the two, two parties, two or more parties. 


2 Q. And how are you able, if at all, to identify who the 


3 parties are who are parties to a WhatsApp communication? 


4 A. By the telephone number. 


5 O- And before coming here today, did you have an opportunity 


6 to review what has previously been marked as Exhibit 151? 


7 A. Is it on the -- 


8 Q. It's not on the screen, but did you have an opportunity to 


9 review WhatsApp communications between the defendant and 


12:42 10 Mr. Ermakov? 

11 A. Yes. 

12 Q. Okay. And you mentioned a moment ago that WhatsApp 

13 communications are encrypted. Were the communications that you 


14 reviewed able to be read? 


16 : Can you explain that. 


17 A. We found the communications in an unencrypted form that 


18 were backed up to Vladislav Klyushin's Apple account. 


19 MR. FRANK: Your Honor, I'm not sure how you'd like me 


12:42 20 to proceed with these. We have them individually designated 


21 from the larger communication. 


22 THE COURT: All right. 


23 MR. NEMTSEV: Your Honor, we've never seen the 


24 designations. 


25 THE COURT: You received all these, though, right? 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 157 of 182 
S157 


1 MR. NEMTSEV: The specific spreadsheet, yes, but not 


2 the specific portions. 


3 THE COURT: Well, do you have them in a way that he 


4 can see them first before showing them? 


5 MR. FRANK: If there were a way to show them for 


6 counsel only, yes, I understand the computer is not 
7 working. 
8 THE COURT: Well, you don't have them printed out in 


9 any way? 


12:43 10 MR. FRANK: We do not. If counsel wants, we can show 
11 them to him on Ms. Lewis' computer. 

12 THE COURT: Yes. Why don't you walk over there? 

13 (Pause. ) 

14 THE COURT: You don't have to show them everything. 
15 Okay, let's go. 


16 Q. Okay, special Agent, directing your attention -—- well, if 


17 we could call up 151A, please, do you recognize 151A? 


18 A. 


19 Q. Directing your attention to the date/time, was this the 


12:44 20 first of the WhatsApp communications that you found? 


21 : Between Ivan Ermakov and Vladislav Klyushin, yes. 


22 - What is the date? 


23 : October 29, 2018. 


24 : And do you recall when the last date was of the iCloud 


25 communications that you found between the defendant and 
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al . Ermakov? 


2 ‘ October of 2020. 


3 MR. FRANK: And just for the record, I Fer all of 


4 Exhibit 151A for identification only. 


is (Exhibit 151A for identification.) 


6 Q. And then, Special Agent, as to 151A, which I've offered 


i into evidence, I'd like you to please -—- well, let me ask you 


8 one prefatory question. When you found the messages, what 


9 language were they in? 


12:45 10 A. Russian. 


11 Q. And so we see a translation in the middle of the page. 
12 Who prepared that translation? 


13 A. The FBI. 


14 Q. Okay. Could you please read for the record the English 


15 translation of this excerpt. 


16 THE COURT: First of all, who's speaking? 


18 THE WITNESS: I can tell from this exchange. 


19 THE COURT: Yes? 


12:46 20 THE WITNESS: Yes. 


21 Q. So, Special Agent, tell us again how you can tell who's 
22 speaking. 

23 A. WhatsApp communications were backed up in a form that 
24 denoted a "from" and a "to" recipient by phone number, and the 


25 phone number to two names were also found within the chat 
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aE content. 


2 Q. Okay. And did you find other records indicating the phone 


Si numbers of Mr. Ermakov and Mr. Klyushin? 


4 A. Yes. The Apple subscriber information corroborated that 


5 Lnformation. 


6 : And why don't we just take a moment to look at that right 


7 Exhibit 9. What is Exhibit 9? 


8 : These are the Apple subscriber records for Vladislav 


9 Klyushin's Apple account. 
12:46 10 0. Okay. And if we could move over just a bit toward the 
11 right, do you see a number there? 


12 A. I do. 


13 Q. What are the last four digits? 


14 A. The last four digits are repeated by other members 


15 associated with Klyushin's family, so I'll I'll read a few 


16 more. 
17 Q. You see those four digits? 


18 A. I do. 


19 Ox Okay. And were those the digits that you used to identify 
12:47 20 the WhatsApp communications? 
21 : Yes. 


22 ; Okay. And if we could look at Exhibit 11. What is this? 


£ 


or Ivan Ermakov. 


23 : These are the Apple subscriber records 


24 : And if we could move all the way to the right, again do 


25 you see a phone number there under the 
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al : Yes, I do. 


2 ‘ And what are the last four digits? 
3 : 0085. 


4 MR. FRANK: And just to be clear, I offer 9 and 11. 


5 (Exhibits 9 and 11 received in evidence.) 


6 Q. If we could now go back to 151A. And, Special Agent, do 


7 you see that under the "from" column, there's a number ending 
8 in 0085? 
9 : Yes. 


12:48 10 2 Whose number is that? 


Ved. ‘ van Ermakov. 


12 < Okay. And then under the "to" column, you see there's a 


13 number ending in those four digits? 
14 : 1413, yes. 


15 : And whose phone number is that? 


16 : Vladislav Klyushin. 


ay ‘ Thank you. Could you now read for the record the English 


18 language translation of this exchange identifying, as to each 


19 line, who the speaker is. 


12:48 20 ; Ermakov: Hi, I changed the number. Ivan. 


21 Klyushin: Hi. What did Igor bring me as a present? 


22 Ermakov: Hi. I didn't understand the question. Did he 


23 not give it to you? 


24 "Klyushin: No, but I am testing you. 


25 "Ermakov: That or you are testing me? 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 161 of 182 


3-161 


1 Klyushin: Who knows who is writing? Alright. 


2 Ermakov: The hoodie and the L-sized Tesla logo black 


3 Es 


4 Ermakov: Thumbs-up emoji. Greetings, greetings." 


5 MR. FRANK: Thank your, Special Agent. 


6 If we could now have 151B, and I'd offer 


7 (Exhibit 151B received in evidence.) 


8 Q. Special Agent, could you tell us the date of 
9 exchange. 


12:49 10 A. November 21, 2018. 


11 Q. Could you read it for the record and identit 


12 speakers, please. 
13 A. "Klyushin: Good morning. How about we go to sauna at 


14 1700 today? And head home earlier? 


15 "Ermakov: I won't make it by 17:00. Let us try by at 


16 least 1730. That, or be there by 17:00 and I will come lat 


17 "Klyushin: Okay, no problem. I just don't want it to be 


18 too late. 


19 Ermakov: I concur. I think 17:30 is fine. 


12:50 20 Klyushin: Okay." 


21 MR. FRANK: Could we have 151C, and I 


22 (Exhibit 151C received in evidence.) 


23 Q. Special Agent, what is the date of this exchange, and 


24 could you read it for the record, please? 


25 A. December 3, 2018. 
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1 Ermakov: I won't be able to call you back. I forgot my 


2 phone at work. 


3 "Klyushin: Hi. I want to hear how is your trading, since 


4 Kolya is on vacation. 


5 "Ermakov: Our shares grew a bit. I will be closing some 


6 today. On others we will wait longer. They fell too much, 
7 need to wait more." 
8 Q. Thank you. 


9 MR. FRANK: Your Honor, the next exchange is objected 


12:51 10 COs I can skip over it, but then counsel will need to review a 
11 few more exchanges. 

12 THE COURT: All right. 

13 (Pause.) 

14 MR. FRANK: Okay, Ms. Lewis, if you could show us 


15 151F, please. 


16 THE CLERK: F? 
Ly MR. FRANK: F as in Frank. 


18 THE CLERK: Thank you. 


19 Q. Special Agent, if you could identify the date of this 
12:53 20 exchange. 


21| A. May 25, 2019. 


22 Q. And could you read the English language version, 


23 identifying the speaker, please. 


24 A. "Klyushin: I did the math for Boris, starting November 1, 


25 2018, ending May 25, 2019. The profit comes to 
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alt Ermakov: How about Sasha? 


2 "Klyushin: One second. 69.3 percent. (Three tears of 
3 joy emoji.) Boris earned $989,000 on $500,000. Sasha $693,000 


4 on $1 million. They don't even ask why anymore. I told them 


5 that there are different strategies and we are still looking 


6 closely. 


7 "Ermakov: (Thumbs up emoji followed by three tears of joy 
8 emoji)." 


£ 


9 Q. Special Agent, did you find any other references to Boris 


12:54 10 and Sasha in Mr. Klyushin's iCloud account? 


11 A. T. did. 


12 MR. FRANK: For identification only, we'd mark 152. 


13 Exhibit 152 for identification.) 


14 ‘ for you, Special Agent, I'd offer 170 on the left and 


15 170A on the right. As part of your investigation, did you find 


16 a WhatsApp communication involving the defendant, Boris 
17 Varshavksiy, and Alexander Borodaev, or Sasha Borodaev? 


18 A. 


19 Q. And what are we looking at here in 170 and 170A? 


12:55 20 A. This is a screenshot of a contact card for Alexander 


£ 


21 Borodaev associated with the specific telephone number. 


22 ‘ Okay. And where did you find this? 
23 : This was found in -- 


24 ‘ You looked in Mr. Klyushin's account? 


25 . Yes. 
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al Q. Okay. And if we could take a look at 152A, please, who's 


2 involved in this exchange? Is this the group exchange you 


3 referenced a moment ago? 


4 A. Yes. This is between Vladislav Klyushin, Alexander 


5 Borodaev, and Boris Varshavksiy. 
6 ‘ And, again, Alexander Borodaev, his other name? 
7 : Sasha. 


8 : Could you identify the date, please. 


9 : October 24, 2018. 
12:56 10 : Could you read it and identify the speaker, please. 


11 : "Vladislav Klyushin: Take a look at Tesla stock now and 


12 tomorrow after 16:30 and how much it grows." 


13 Q. And I'm just going to stop you right there, Special Agent. 


14 You see that the time stamp there is October 24 at 13:28? 
15 A. 
16 ‘ Okay. And you see that the next entry is at a later time? 


Ly : I do. 


18 : What time is the second entry? 


19 . 16518: 
12:56 20 : Okay. And do you see there is a JPEG file that was 


21 transmitted? 


22 . I do. 


23 ; Were you able to identifi file in the iCloud account? 
24 : Yes 


25 : Okay, we'll call that up in just a moment. Could you read 
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i the next entry at 16:19. 


2 A. "Tt was 288 and after closing became 308, and tomorrow it 


3 will most likely reach 330 and that's 10 percent, and with the 


4 leverage of 2-3 times, it's almost 25. But there are not many 
5 transactions like this in the quarter." 
6 THE COURT: Now, who's saying that? 


7 THE WITNESS: This is Vladislav Klyushin to the other 


8 individuals, Alexander Borodaev and Boris Varshavksiy, who are 


9 the other participants in this group communication. 


12:57 10 Q. And directing your attention to the top line where 


1] Mr. Klyushin says, "Take a look at Tesla stock now and tomorrow 


12 after 16:30 and how much it grows." 


13 What is 16:30 Moscow time in Eastern Time? 


14 A. At this time of year, 16:30 Moscow local time was 9:30 


15 Eastern, when the market opens. 


16 MR. FRANK: Can we look at 152C and 152] 


17 moment, Special Agent. 


18 To the extent it was unclear, I offer that, 


19 Ms. Molloy. 


12:58 20 THE CLERK: Okay, thank you. 


21 (Exhibit 152A received in evidence.) 


22 Q. Special Agent, we have an issue displaying Exhibit 152C, 


23 but I'm going to show you 152D, and I believe 152C is 


24 stipulated, so we offer that as well? 


25 (Exhibits 152C and 152D received in evidence.) 
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i Q. And let me show you —- 152D is what, Special Agent? 


2 A. This is an FBI translation from -—- words appearing in 


3 Russian translated into English. 

4 : And 152C was the original Russian version? 

5 ‘ Yes. 

6 ‘ Okay. And what are we looking at in 152D? 

7 : This is the stock chart for Tesla that was communicated in 
8 the chat exchange that we were looking at. 


9 Q. Okay. And what is the price indicated at this particular 


12:59 10 moment in time? 
11 : $288.50. 


12 Q. Could we have 152B, please. Who are the speakers 


13 communicating here? 


14 A. This is, again, another excerpt of the group chat between 


LS Vladislav Klyushin, Sasha Borodaev, or Alexander Borodaev, and 


16 Boris Varshavksiy. 


17 z What is the date of this communication? 


18 : This is March 11 of 2019. 


19 : Could you read the communication in the first box. 


01:00 20 : Yes. 


21 "Klyushin: Good morning. I am back, had a good vacation, 


22 ready to work. Congratulations to Boris, he showed super 


23 result for the four-months period and made $632,000. 


24 Alexander's is a little worse, $461,000. Also, OpenBroker 


25 created a new function and you could follow the value of your 
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1 portfolio online. I will send you the log-in password below. 


2 You could look at it at any time. There will be no bids until 


i April 15, so if you want, you can withdraw extra funds." 


4 Q. And then you see there is a log-in and password for each 


5 individual by the initials BV. Who's BV? 


6 A. BV is initials for Boris Varshavksiy. 


7 Q. And then there is the log-in and password for the 


8 individual with the initials AB? 


9 A. Alexander Borodaev. 


01:01 10 Q. Okay. And the date on this exchange where Mr. Klyushin is 


1] indicating these returns is what? 


12 A. March 11, 2019. 


13 Q. And just for the sake of comparison, if we could just 


14 guickly call up 152A again. What was the date in which 


LS Mr. Klyushin asked Mr. Varshavkiy and Mr. Borodaev to look at 


16 Tesla stock now and tomorrow after the market opens and how 
Ly much it grows? 


18 : October 24, 2018. 


19 s So that was about five months earlier? 
01:02 20 : Yes. 


21 MR. FRANK: Your Honor, is this a good spot? 


22 THE COURT: Yes. It's a good time. See you tomorrow. 


23 THE CLERK: All rise. 


24 (Jury excused.) 


25 THE COURT: I'll see counsel at sidebar. Everybody 
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al. else can be seated. 


2 You can step down, sir. Thanks. 


3 ‘BAR CONFERENCE: 


4 THE COURT: Do you need to speak to your client 


5 afterwards, or should he leave? 


6 MR. NEMTSEV: "d like to speak to him. 


7 THE COURT: Okay, good. All right, so let me say I'm 


8 having a hard time following some of this, and my guess is the 


9 jury is too. The names are strange to us. We haven't really 


01:03 10 heard much about Varshavkiy, Borodaev -- I don't even know all 


11 the other names. We don't know who they are. I don't know who 


12 they are. They're not charged conspirators, and so it's just 


13 hard to follow. And the other guy, what was his name who was 


14 the strange name? 
15 MR. FRANK: Shmucki. 


16 THE COURT: Shmucki or whatever, yeah. I have no idea 


17 these people are. You know, I didn't get them in a -- so 


18 [ trying to understand it, and my guess is, they are too. 


19 For starters, I think it wouldn't hurt to have a list of the 


01:04 20 names for people. Like, I don't know Boris and Sasha. I just 


21 t know these people. I only know Mr. Klyushin, and I know 


22 Mr. Ermakov, a little less so than the —- but at least those 


23 names are listed in the indictment. Sladkov and Irzak, at 


24 least I've heard those names. These other people I don't know. 


25 So I don't know what to do about that. 


01:04 10 


01:05 20 


21 


22 


23 


24 


25 
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THE COURT: 
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MR. NEMTSEV: 


THE COURT: 
just, 
MR. FRANK: 


communication. 


your Honor. 
Varshavksiy, 
fendant's three investors, 


and that's why he's tal 


with all the pictures and stuff, 


We're introducing Mr. 


We're going to make ij 
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t clear through the 


Borodaev, 


so that's goi 


All right, but 


The three names that you're 


and Uryadov are the 


ng to become very, 


lking to them about their 
can clear that up with Special Agent -- 


have not found that they 


They're not alleged to be. 


They're not alleged to be. 


We're not even in 


to them and their responses for context. 


THE COURT: 
to explain it to me, 


MR. KOSTO: 


understand. 


never mind them. 


If it would be helpfu 


print on an 81/2-by-11 


have come up without any ornamentation, 


THE COURT: 


MR. KOSTO: 
COURT: 
MR. FRANK: 
that he's an 


paragraph, 


associate of 


piece of paper each 


ju 


I'm just saying, 


We can see what the n 


And so it was 


didn't know whether -- 
troducing their 


Klyushin's communications 


you've got 


1, your Honor, we can 


of the names that 


st so that -- 


ames are. 


—- you can see the name as it comes up. 


That would be useful. 


All right, now —- 


The sole reason to identify him is to show 


which is with the -- 


the defendant who's in that 
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al THE COURT: So, all right, B, is there an objection to 


3 MR. NEMTSEV: Yes, because 


4 THE COURT: Sustained. 


5 So here's this one. I've already ruled that that's 


6 in. That's D, which is the Ukrainian press release. That's on 


7 his phone, right? 


8 MR. FRANK: Yes. That's in his iCloud, yes. And the 


9 only reason we offered B is just to show that they're together. 


01:05 10 THE COURT: He's just an investor. That's why ] 


11 needed to know who these people were, so -—-— 


12 MR. FRANK: He's not an investor. He's an associate 


13 of the defendant's. But it's irrelevant who he is. It's just 


14 that they're together when this photo was taken, and that's 


15 what the special agent will say. 


16 THE COURT: I don't think it has much relevance, but 


17 MR. FRANK: Otherwise, it's just a photo divorced of 


18 any context. 


19 THE COURT: But it's on his phone, I'm assuming you're 
01:06 20 saying? 


21 MR. It is on his phone. 


22 THE T'll allow that and give a limiting 


23 instruction. 


24 Exhibit D received in evidence.) 


25 HE COURT: No one is alleging that he had anything to 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 171 of 182 
3-171 


a. do with the Ukrainian hacker. 


2 MR. FRANK: Understood, understood. And then there's 


3 the article that is depicted, which is I think Exhibit W or 


5 THE CLERK: You said B, D, and W. 


6 MR. FRANK: if I may, your Honor. 


7 THE COURT: I'll allow that. 


8 (Exhibit W received in evidence.) 


9 MR. FRANK: Maybe you just read the first sentence so 
01:06 10 that it's clear what it is. 


11 THE COURT: I haven't read it, so I don't know if 


12 there's anything in particular in there that's offensive, 


13 but. 


14 MR. NEMTSEV: Just the fact that they pled guilty. 


15 THE COURT: If anything, it's going to give them a 


16 sense of what the punishment is, but, anyway —-- 


17 In any event, now, what is all this? 


18 MR. FERNICH: That's a great question. 


19 MR. FRANK: This is only offered to explain the 


01:07 20 WhatsApp communication that they're objecting to between the 
21 defendant and Mr. Ermakov. That's the WhatsApp communication 


22 where Mr. Klyushin sends the defendant these photographs, says, 


23 I'm having a great time," and Mr. Ermakov says, "I wish 


24 could travel," and Mr. Klyushin says, "I can help you out by 


25 getting you documents in another name that will allow you to 
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2 THE COURT: I think that that's a stretch, and I 


3 excluding all of them. All right, now, what's -- 


4 MR. KOSTO: Photos of the chat itself. 


5 THE COURT: I'm not talking about the chat, just the 


7 MR. FRANK: He can describe the photos without us 
8 putting in the photos. 


9 THE COURT: But the photos are -—- 


01:07 10 MR. NEMTSEV: Describing the photos? 
11 MR. FRANK: Just describing that they are photos of a 
12 vacation is all he would describe so the chat makes sense. 


13 THE COURT: Maybe, but not eight photos of people 


14 having a great time. That beautiful woman, was that his wife? 


LS MR. NEMTSEV: That's his wife. I'll tell her you said 


17 THE COURT: Can I say, he looks a lot older now than 


18 he did in those pictures. 


19 (Cross-talk.) 


01:08 20 THE COURT: The pictures are not in. 


21 THE CLERK: So I have B is out, D is in, and W is in, 


22 correct, just for the record? 
23 MR. FRANK: So there's the WhatsApp chat that 


24 surrounds those photographs. That's the chat. 


25 THE COURT: I'm not ruling on it. I'm just saying the 
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1 pictures are out. 


2 MR. FRANK: Understood. 


3 THE COURT: Okay, all right, these pictures are out. 


4 Now, these, this is the heart of i 


5 MR. FRANK: We're going to get to the chat long bef 
6 we get to that. 


7 THE COURT: That is the Micfo which is R. So, 


8 actually, I've never seen these before actually. 


9 MR. KOSTO: Can I direct you to the page that's most 


01:09 10 relevant? There's no dispute that it's paid, I don't believe. 


11 MR. NEMTSEV: This is the relevant one, right? 


12 MR. KOSTO: A November 24, 2018 invoice, and the 


13 usage in this case was in late October and early November, 


14 2018, so we're about three, four weeks afterward. And the 


15 invoice is produced by Micfo sent to StackPath, the company 


16 that controlled the IP address, and it covers a bill for one IP 


Ly address. 


18 THE COURT: I understand you have an affidavit 


19 under oath at 9:01? 

01:09 20 MR. KOSTO: From StackPath, the 80:36. 
21 THE COURT: They can only say they received this and 
22 it was kept in the ordinary course, right? 
23 MR. KOSTO: Absolutely. 


24 THE COURT: They can't say that they generally did it 


25 and it was accurate. That's what I'm trying to deal with now. 
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think under the business records 


1 I'm trying to figure out -- 


2 rule you can fairly put in that they received that. 
Si MR. KOSTO: And kept it in the ordinary course. 


4 THE COURT: That doesn't necessarily mean all the 


5 information in it is accurate. That's what I'm struggling 


6 with. 


7 MR. NEMTSEV: And this is the information that we're 


8 concerned about because it's testifying what IP, what location, 


9 what computer, what server. 


01:10 10 MR. KOSTO: This is an intangible thing, this IP 


11 address, and the way to prove that it was assigned to an IP 


12 address on a certain date is how the parties paid and how the 


13 documents relate to the IP address for him. I can't bring an 


14 IP address into court and show it to you, but I can show you 


15 that Micfo billed StackPath for it, and StackPath saved this in 


16 the ordinary course. And there are no indicia of 


17 untrustworthiness -- 


18 THE COURT: That's what I need to 


19 MR. KOSTO: What our submission is 


01:10 20 THE COURT: Well, who knows anything about it? 


21 there anyone from StackPath who knows? 


22 MR. NEMTSEV: There is. There's the owner of the 


23 company. 


24 MR. KOSTO: The owner of StackPath will testify that 


25 it received this in the ordinary course of business. What 


01:11 10 


01:12 20 


21 


22 


23 


24 


25 
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owner of Micfo was convicted. 


But the cases we tried to refer you to this morning, and I know 


but the memo talks about the fact 


there has to be some connection between the conviction and 


what's on this invoice for it to have any relevance to 


whether —- 


THE COURT: -—- the business records rule, skipping the 


conviction, the business records rule to allow it in for the 


truth of the matter, it has to be -- 


MR. KOSTO: It does not 


sender. Let me give you a case, 


THE COURT: This is the 


MR. NEMTSEV: And we're 


have to be introduced by the 
your Honor. 
issue. 


proceeding under (e) because 


we can have the opportunity to challenge the reliability of it. 


MR. FRANK: What Mr. Kost 


THE COURT: Can 


Where's the 901 -- 


just st 


to is pointing to —-- 


top for one minute here? 


MR. KOSTO: I don't think there's any dispute about -- 


THE COURT: "The record was made at or about the time 


someone with knowledge..." 


So you'd at least say that he 


received the the company received that invoice but didn't 


pay it. Okay, that part -- they did or they didn't? 


MR. FRANK: They did. 


THE COURT: Why does it say "unpaid"? 


MR. FRANK: Because the version that they happened to 
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1 keep in their files happened to say "unpaid," but all the 
2 subsequent —--— 
3 MR. KOSTO: We provided the bank records to 


4 Mr. Nemtsev that showed that the invoice was paid by StackPath. 


5 THE COURT: T mean, that's helpful to me, actually, 


6 because if it was unpaid, I don't know much about it, so -- 


7 MR. KOSTO: I don't think we have a dispute there. 


8 THE COURT: It says "unpaid." I wouldn't know that. 


9 And so the question is, so there is a paid invoice that was 


01:12 10 kept in the ordinary course of business. Making a record, I 


‘lal suppose here it's -—- we don't know much about whether it was a 


12 regular course of activity, but I'm assuming for a minute at 


13 least paying the invoice was. "All of these conditions are 


14 shown by the testimony of a custodian under Rule 902," right? 
15 We keep that. So now the challenge is under (e): "The 


16 opponent does not show that the source of the method or 


17 circumstances of preparation indicate a lack of trustworthiness." 


18 so that's where this controversy is hinging, I think. 


19 All right, so I understand Lee's been at this all day, 


01:13 20 but what is the challenge -- what were they indicted for? 


21 Convicted of, I should say. 


22 MR. NEMTSEV: They were convicted of creating fake 


23 businesses and fake business records to submit to ARIN, 
24 which -—- 


25 THE COURT: What's ARI 
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alt MR. NEMTSEV: ARIN is this, in short, registry that 


2 hands out IPs for creating fake businesses and fake records, 


3 submitting them to ARIN to get those IPs, and then selling them 


4 off without the knowledge. That was the conviction. 


5 MR. KOSTO: May 


6 THE COURT: Yes. 


a MR. KOSTO: ARIN is the national organization in the 


8 United States that assigns all the IP addresses. What Micfo 


9 id -- and ARIN controls a limited supply of them. What Micfo 


01:14 10 did, because it had run out of their supply -- and this is in 


11 the indictment between 2014 and 2019, covering this 
12 period -- 


13 THE COURT: I don't know. 


14 MR. KOSTO: But before you continue, your Honor, what 


15 Micfo did was make up a shell company, Jones Company, and 


16 submitted an application to ARIN on behalf of Jones Company 


17 saying, "We are entitled to more IP addresses." And ARIN, not 


18 knowing that it was Micfo, gave them more IP addresses. But 


19 the case does not involve Micfo failing to sell them, failing 


01:14 20 to assign them, failing to send them to data centers, failing 


21 to do the work and invoicing for it. There's no connection 


22 between the invoicing here -- 
23 MR. FRANK: The whole point was that they wanted more 


24 of these addresses that they could sell and actually supply 


25 their customers with. It's not that they were pretending to 
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1 have addresses or pretending to put addresses on server 


2 computers. That was never the allegation. 


3 THE COURT: I don't know. Let me think about it. 


4 MR. FRANK: They weren't faking these records. Just 


5 because JP Morgan fakes a record in its mortgage lending 
6 business doesn't mean that it's ATM records. 


7 THE COURT: You know what? I'll think about it. 


8 MR. FERNICH: If it were JP Morgan, it would be a 


9 different story, but this is basically a one-man show. 


01:15 10 THE COURT: Let me think about it. I think I've ruled 


11 on everything else. 


12 MR. NEMTSEV: Except the chat, the chat associated 


£ 


13 with those pictures biking and the wife, where he says, "I'll 


14 give you a fake identity." 


15 THE ‘COURT: To == 


16 MR. FRANK: He says to Ermakov, "I will help you 


Ly travel under a fake name." 


18 THE COURT: All right, we can skip that. We don't 


19 need that. 
01:16 20 MR. : Your Honor, that's critical to the 


21 criminal 


22 COURT: Why? 
23 . FRANK: Because who would you talk to about that? 
24 The whole point that they're trying to do is say that these 


25 guys are acquaintances. What we're trying to do is show that 


Case 1:21-cr-10104-PBS Document 182 Filed 02/06/23 Page 179 of 182 


3-179 


1 they're not just people who hang out together. 


2 MR. NEMTSEV: They're in a sauna together. 


3 MR. FRANK: They're people who have an exceptionally 


4 close relationship. 


5 MR. NEMTSEV: Agreed. 


6 MR. FRANK: They are the people who the defendant 


7 trusts enough, he trusts -—- 


8 THE COURT: I sustain that objection. It's not 


9 critical. They're in the sauna together naked. That's as 


01:16 10 close as it gets. 


11 MR. FERNICH: That's the bonding. 


12 THE COURT: All right, but let me just say this: How 
13 much longer is he? 


14 MR. FRANK: Probably a couple hours. 


15 THE COURT: Okay, fair enough. Does he put in the 


LS) MR. FRANK: Yes. 


18 THE COURT: He does. How long do you think you'll 


19 need with him? 


01:16 20 MR. EV: An hour, an hour anda half. 


21 All right, so he's most of tomorrow. 


22 ‘ IMTSEV: He's most of tomorrow. 


23 URT: Okay, who's next? 


24 MR. FRANK: Probably Jeffrey Zorck who's with Saxo 


25 Bank, and he's going to put in a recording that will take some 


01:17 10 


01:17 20 


21 


22 


23 


24 


25 
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THE COURT: He's from Copenhagen? 


MR. FRANK: He just moved to Sarasota. 


THE COURT: All right, but let me tell you, 


be in Sarasota than here the last couple of days. 
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I'd rather 


MR. KOSTO: Your Honor, can I give you a case? 


THE COURT: That would be helpful. Did you tell them 


what it is? 


MR. KOSTO: I did. [t has to do with the receiving 


company of an invoice -- 


MR. FRANK: Your Honor, I'd ask to be able 


persuade you on the WhatsApp communications because 


to try and 


that is 


really -- the closeness of this relationship, it's more than 


just -- 


There's no dispute about it. They're 


besties. 


But there's a difference. 


Bxcuse me. 


We also have to deal with the Porsche 


NEMTSEV: But not the cars, right? 


COURT: Not the blown-up -- 


I'm allowing in the license plates but not 


FRANK: What we've done is I can show your 
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Honor we've redacted the hood ornament, so you can't tell 
that it's a Porsche. 


THE COURT: What's wrong with that? Can I tell you, 


when Porsche comes to shove, this is not going to change this. 


(Laughter. ) 


(End of sidebar conference.) 


(Adjourned, 1:18 p.m.) 
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